I’d like to be able to write scripts that do a vault login with Okta, where I provide the password via stdin rather than (insecurely) including password cleartext as a commandline argument.
The problem is that when vault reads the password from stdin, it doesn’t complete the MFA negotiation. Specifically, this command:
echo -n $MY_PASSWORD | vault login -address $MY_VAULT_URL -method=okta username=$MY_USERNAME password=-
produces this output:
A login request was issued that is subject to MFA validation. Please make sure
to validate the login by sending another request to sys/mfa/validate endpoint.
WARNING! The following warnings were returned from Vault:
* A login request was issued that is subject to MFA validation. Please
make sure to validate the login by sending another request to mfa/validate
endpoint.
…and does not update ~/.vault-token, nor (as far as I can tell) even create a new vault token.
(Yes, I know that echo command leaks secrets in exactly the way I don’t want vault to do. I’ll be doing it differently in real life; this is for the sake of a simple demonstration.)
I’ve also tried:
echo -n '{"username": "'$MY_USERNAME'", "password": "'$MY_PASSWORD'"}' | vault login -address $MY_VAULT_URL -method=okta -
but it fails, in exactly the same way. It does not complete the MFA.
I’ve also tried:
echo -n $MY_PASSWORD | vault login -address $MY_VAULT_URL -method=okta username=$MY_USERNAME
(i.e., don’t provide any password args at all). In this case, vault will prompt for the password and read it from stdin… but only if stdin is a terminal. The output is:
Password (will be hidden):
Error authenticating: file descriptor 0 is not a terminal
To be explicit, here’s my question: Is there a way to get vault to read the password from stdin and complete the login process when MFA is involved (as with -method=okta)? In other words, get it to do the same work it already does when I (insecurely) do the following?
vault login -address $MY_VAULT_URL -method=okta username=$MY_USERNAME password=$MY_PASSWORD
BTW: This question is similar to issue #12610, and that issue did get me past some of the early hurdles. Who’d have read the documentation and thought the proper syntax was password=-?