-
|
Hi guys, So when using step ca token, it is possible to supply a password via --provisioner-password-file however is there another way? stdin doesn't seem to work and I can't spot any env variables that are honoured (ideally we'd like to do it without ever dumping the provisioner password onto the target machine, as this is being done via ansible) Any suggestions or should I add support for this and open a PR? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
|
Hi @jwh, The approach we recommend here is to use process substitution. Assuming the env variable itself is well protected, you can safely do something like this: $ STEP_CA_PASSWORD=amazingpw; step ca token ... --provisioner-password-file <(echo -n "$STEP_CA_PASSWORD")See also: Our blog How to Handle Secrets on the Command Line Hope this helps :D |
Beta Was this translation helpful? Give feedback.
-
|
Hiya, I did consider this but I'd rather not use a shell instead of executing step directly - but it may be ok, is there any chance of an env variables being supported for operations like this where some input is required? thanks! |
Beta Was this translation helpful? Give feedback.
-
|
Hi @jwh, thanks for the offer to help here. It's very unlikely that we'll add support for reading a password directly from an environment variable. While env vars can be secure when used correctly, there are a few subtle ways that they can leak secrets. We want to avoid creating subtle foot guns, and a password file is harder to misuse. See the Environment Variables section of this blog post for more details. |
Beta Was this translation helpful? Give feedback.
-
|
Fair enough, thanks for your responses! |
Beta Was this translation helpful? Give feedback.
Hi @jwh,
The approach we recommend here is to use process substitution. Assuming the env variable itself is well protected, you can safely do something like this:
See also: Our blog How to Handle Secrets on the Command Line
Hope this helps :D