Open Dominic4D opened 1 year ago
Hi @Dominic4D, The JFrog CLI supports working with multiple servers. I'm afraid that allowing providing credentials would make the flows more complex than they are today.
However, we are considering adding a --password-from-stdin
flag which allows you to provide the password by stdin. For example:
echo $PASSWORD | jf rt upload --user testuser --password-from-stdin
I checked in htop
and I could see only jf rt upload --user testuser --password-from-stdin
.
I checked in history
and I saw this: echo $PASSWORD | jf rt upload --user testuser --password-from-stdin
Obviously, this approach requires a double-check, but this solution may have the potential to solve this issue. Please let us know what you think.
Thanks for the response, @yahavi!
I think that having the Environment variables would provide a fairly elegant interface, though using password via stdin would definitely solve the problem of having exposed credentials when running the JFrog CLI via python scripts (without a config).
Any updates on providing --password-from-stdin
? This would be very useful for CI systems! 👍
Hi @Dominic4D and @thomas-bc ,
--access-token-stdin
and --password-stdin
were added to JFrog CLI config add command since v2.36.0
You can run echo $PASSWORD | jf config add --url=myurl.com --user testuser --password-stdin
After that, all other JFrog CLI commands will use this server details without any additional flags
Thank you @sverdlov93 , would it be possible to add this option to all of the commands that currently support --password
?
For the use case of CI, it is not always convenient to create a config - especially if you want to prevent storing passwords on disk.
Hello @Dominic4D,
Thank you for your feedback.
The JFrog CLI offers support for config encryption. Here is a use case for your consideration:
JFROG_CLI_ENCRYPTION_KEY
environment variable. This variable is only available during the duration of the job.echo $PASSWORD | jf config add --url=myurl.com --user testuser --password-stdin
can be executed. The password is securely stored in an encrypted format on the file system.We have automated this process in the new Jenkins JFrog plugin, which you can find at this GitHub link: https://github.com/jfrog/jenkins-jfrog-plugin/pull/57. See also https://github.com/jfrog/jfrog-cli/pull/1875.
To implement this in any other CI servers, set the JFROG_CLI_ENCRYPTION_KEY
environment variable to a random 32-character key at the beginning of the job.
I hope this clarifies the process. Let me know if you have any further questions.
Is your feature request related to a problem? Please describe.
Using the JFrog CLI in scripts is problematic for handling credentials. While developers can set up a config, it doesnt seem practical for a CI system like Jenkins to be doing this. The problem with passing in credentials via the JFrog CLI, is that when the process is running the keys are shown in the process, and viewable via a monitoring tool like htop. This makes it quite insecure on shared servers.
Describe the solution you'd like to see
Passing in credentials via Environment variables would enable a simple mechanism for scripts to use the CLI in a secure way. In addition, passing in the server/artifactory URL via the environment would add consistency to this approach.
Describe alternatives you've considered
N/A (see original description)
Additional context