Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JFrog CLI Authentication/Config via Environment #1823

Open
Dominic4D opened this issue Jan 31, 2023 · 6 comments
Open

JFrog CLI Authentication/Config via Environment #1823

Dominic4D opened this issue Jan 31, 2023 · 6 comments
Labels
feature request New feature or request

Comments

@Dominic4D
Copy link

Is your feature request related to a problem? Please describe.

Using the JFrog CLI in scripts is problematic for handling credentials. While developers can set up a config, it doesnt seem practical for a CI system like Jenkins to be doing this. The problem with passing in credentials via the JFrog CLI, is that when the process is running the keys are shown in the process, and viewable via a monitoring tool like htop. This makes it quite insecure on shared servers.

Describe the solution you'd like to see

Passing in credentials via Environment variables would enable a simple mechanism for scripts to use the CLI in a secure way. In addition, passing in the server/artifactory URL via the environment would add consistency to this approach.

Describe alternatives you've considered

N/A (see original description)

Additional context

image

@Dominic4D Dominic4D added the feature request New feature or request label Jan 31, 2023
@yahavi
Copy link
Member

yahavi commented Feb 7, 2023

Hi @Dominic4D,
The JFrog CLI supports working with multiple servers. I'm afraid that allowing providing credentials would make the flows more complex than they are today.

However, we are considering adding a --password-from-stdin flag which allows you to provide the password by stdin. For example:

echo $PASSWORD | jf rt upload --user testuser --password-from-stdin

I checked in htop and I could see only jf rt upload --user testuser --password-from-stdin.
I checked in history and I saw this: echo $PASSWORD | jf rt upload --user testuser --password-from-stdin

Obviously, this approach requires a double-check, but this solution may have the potential to solve this issue.
Please let us know what you think.

@Dominic4D
Copy link
Author

Thanks for the response, @yahavi!

I think that having the Environment variables would provide a fairly elegant interface, though using password via stdin would definitely solve the problem of having exposed credentials when running the JFrog CLI via python scripts (without a config).

@thomas-bc
Copy link

Any updates on providing --password-from-stdin ? This would be very useful for CI systems! 👍

@sverdlov93
Copy link
Contributor

sverdlov93 commented Jul 28, 2023

Hi @Dominic4D and @thomas-bc ,
--access-token-stdin and --password-stdin were added to JFrog CLI config add command since v2.36.0
You can run echo $PASSWORD | jf config add --url=myurl.com --user testuser --password-stdin
After that, all other JFrog CLI commands will use this server details without any additional flags

@Dominic4D
Copy link
Author

Thank you @sverdlov93 , would it be possible to add this option to all of the commands that currently support --password?

For the use case of CI, it is not always convenient to create a config - especially if you want to prevent storing passwords on disk.

@yahavi
Copy link
Member

yahavi commented Aug 2, 2023

Hello @Dominic4D,

Thank you for your feedback.

The JFrog CLI offers support for config encryption. Here is a use case for your consideration:

  1. When the CI job starts, a random encryption key gets generated and is stored in the JFROG_CLI_ENCRYPTION_KEY environment variable. This variable is only available during the duration of the job.
  2. After that, the command echo $PASSWORD | jf config add --url=myurl.com --user testuser --password-stdin can be executed. The password is securely stored in an encrypted format on the file system.
  3. Subsequently, any JFrog CLI command can be run without having to provide credentials again.

We have automated this process in the new Jenkins JFrog plugin, which you can find at this GitHub link: jfrog/jenkins-jfrog-plugin#57. See also #1875.
To implement this in any other CI servers, set the JFROG_CLI_ENCRYPTION_KEY environment variable to a random 32-character key at the beginning of the job.

I hope this clarifies the process. Let me know if you have any further questions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature request New feature or request
Projects
None yet
Development

No branches or pull requests

4 participants