diff --git a/builtin/credential/ldap/cli.go b/builtin/credential/ldap/cli.go index e0d744b4c..bb28ecb23 100644 --- a/builtin/credential/ldap/cli.go +++ b/builtin/credential/ldap/cli.go @@ -26,12 +26,15 @@ func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, erro } password, ok := m["password"] if !ok { - fmt.Fprintf(os.Stderr, "Password (will be hidden): ") - var err error - password, err = pwd.Read(os.Stdin) - fmt.Fprintf(os.Stderr, "\n") - if err != nil { - return nil, err + password = passwordFromEnv() + if password == "" { + fmt.Fprintf(os.Stderr, "Password (will be hidden): ") + var err error + password, err = pwd.Read(os.Stdin) + fmt.Fprintf(os.Stderr, "\n") + if err != nil { + return nil, err + } } } @@ -70,8 +73,9 @@ Usage: vault login -method=ldap [CONFIG K=V...] Configuration: password= - LDAP password to use for authentication. If not provided, the CLI will - prompt for this on stdin. + LDAP password to use for authentication. If not provided, it will use + the VAULT_LDAP_PASSWORD environment variable. If this is not set, the + CLI will prompt for this on stdin. username= LDAP username to use for authentication. @@ -89,3 +93,7 @@ func usernameFromEnv() string { } return "" } + +func passwordFromEnv() string { + return os.Getenv("VAULT_LDAP_PASSWORD") +} diff --git a/changelog/18225.txt b/changelog/18225.txt new file mode 100644 index 000000000..567c3c78d --- /dev/null +++ b/changelog/18225.txt @@ -0,0 +1,3 @@ +```release-note:improvement +auth/ldap: allow providing the LDAP password via an env var when authenticating via the CLI +```