JFrog CLI Authentication/Config via Environment

[Dominic4D]

Is your feature request related to a problem? Please describe.

Using the JFrog CLI in scripts is problematic for handling credentials. While developers can set up a config, it doesnt seem practical for a CI system like Jenkins to be doing this. The problem with passing in credentials via the JFrog CLI, is that when the process is running the keys are shown in the process, and viewable via a monitoring tool like htop. This makes it quite insecure on shared servers.

Describe the solution you'd like to see

Passing in credentials via Environment variables would enable a simple mechanism for scripts to use the CLI in a secure way. In addition, passing in the server/artifactory URL via the environment would add consistency to this approach.

Describe alternatives you've considered

N/A (see original description)

Additional context

[yahavi]

Hi @Dominic4D, The JFrog CLI supports working with multiple servers. I'm afraid that allowing providing credentials would make the flows more complex than they are today.

However, we are considering adding a --password-from-stdin flag which allows you to provide the password by stdin. For example:

echo $PASSWORD | jf rt upload --user testuser --password-from-stdin

I checked in htop and I could see only jf rt upload --user testuser --password-from-stdin. I checked in history and I saw this: echo $PASSWORD | jf rt upload --user testuser --password-from-stdin

Obviously, this approach requires a double-check, but this solution may have the potential to solve this issue. Please let us know what you think.

[Dominic4D]

Thanks for the response, @yahavi!

I think that having the Environment variables would provide a fairly elegant interface, though using password via stdin would definitely solve the problem of having exposed credentials when running the JFrog CLI via python scripts (without a config).

[thomas-bc]

Any updates on providing --password-from-stdin ? This would be very useful for CI systems! 👍

[sverdlov93]

Hi @Dominic4D and @thomas-bc , --access-token-stdin and --password-stdin were added to JFrog CLI config add command since v2.36.0 You can run echo $PASSWORD | jf config add --url=myurl.com --user testuser --password-stdin After that, all other JFrog CLI commands will use this server details without any additional flags

[Dominic4D]

Thank you @sverdlov93 , would it be possible to add this option to all of the commands that currently support --password?

For the use case of CI, it is not always convenient to create a config - especially if you want to prevent storing passwords on disk.

[yahavi]

Hello @Dominic4D,

Thank you for your feedback.

The JFrog CLI offers support for config encryption. Here is a use case for your consideration:

1. When the CI job starts, a random encryption key gets generated and is stored in the JFROG_CLI_ENCRYPTION_KEY environment variable. This variable is only available during the duration of the job.
2. After that, the command echo $PASSWORD | jf config add --url=myurl.com --user testuser --password-stdin can be executed. The password is securely stored in an encrypted format on the file system.
3. Subsequently, any JFrog CLI command can be run without having to provide credentials again.

We have automated this process in the new Jenkins JFrog plugin, which you can find at this GitHub link: https://github.com/jfrog/jenkins-jfrog-plugin/pull/57. See also https://github.com/jfrog/jfrog-cli/pull/1875. To implement this in any other CI servers, set the JFROG_CLI_ENCRYPTION_KEY environment variable to a random 32-character key at the beginning of the job.

I hope this clarifies the process. Let me know if you have any further questions.