Can credentials be stored in Mitto and then called as part of a cmd job? If so, how would this be done?
Hey @ben.schenck , command jobs do not currently support this functionality. One reason not to support this is that it would make it trivial for anyone to get cleartext creds by writing a script that echos the cleartext. There may be ways to leverage stored credentials in the ENV but they may all suffer from a similar weakness. Some ideas:
- Use a credential manager (such as gopass https://www.gopass.pw/) and call it from a cmd job to get creds
- Create another user on the instance named
secure. Create a script to run from the cmd job. The script would contain embedded cleartext creds and it would be execute-only for the mitto user. One would have to have the password for the secure user to be able to read the creds. This would prevent the mitto user from ever seeing the creds (unless, of course, the sudo’d to root).
Ultimately, we don’t want to create a scenario where credentials are easy to obtain by anyone thru a command job.