Using cloud-init to deploy using vyos-vm-images, using both the default of keep_user=false and explicitly passed with -e keep_user=false, the vyos user/pass remains in the config as well as /etc/passwd, etc/shadow. Note

From documentation, expected results would be that user vyos is removed. Manual intervention is needed in the config as well as OS to remove after deploy.

The password from config is the hased value below.

login {
    user vyos {
        authentication {

{% if cloud_init == "true" and not ( keep_user is defined and keep_user == "true" ) %}

encrypted-password "*"

{% else %}

encrypted-password "$6$MjV2YvKQ56q$QbL562qhRoyUu8OaqrXagicvcsNpF1HssCY06ZxxghDJkBCfSfTE/4FlFB41xZcd/HqYyVBuRt8Zyq3ozJ0dc."

{% endif %}

    plaintext-password ""
}

The /etc/shadow entry is:
vyos:$6$rounds=656000$IFCOpc5cBNZzivPL$8/xzecSEWPfhyg4AJSihvFaK5ZYlDZY0IFWXI4QjV4/ohWCSNOaS9gdKEssovwUkohsy.S9/vRz3DOfGR28vg.:19552:0:99999:7:::