Pragmatism in the real world

Command line access to the Mac Keychain with keyring

While reading Alex Chan’s post about experimenting with the Flickr API, I noticed the call out to keyring by Jason Coombs for accessing the macOS Keychain.

The built-in app: security

The built-in way to access the keychain from the command line is /usr/bin/security:

To create a password:

$ security add-generic-password -s FlickrAPI -a rodeo -w redacted-key

Note that you need to include the password on the command line in clear test, so it’s now in your history unless you remembered to include a space before security.

Then, to retrieve it:

$ security find-generic-password -s FlickrAPI -a rodeo -w
redacted-key

Not especially difficult, but not the easiest to remember.

Keyring makes it simpler

To set a password using keyring:

$ keyring set FlickrAPI caledonia
Password for 'caledonia' in 'FlickrAPI': 

It doesn’t display your password as you enter it, so no history issues to worry about.

Again, retrieving is simpler too:

$keyring get FlickrAPI rodeo
redacted-key

Rather usefully, it also works on Windows and Linux in addition to Mac, utilising the appropriate backend. You can even use it with other backends.

As with Alex’s use-case, I can see how this is a nice tool for using in CLI scripts to get access to API keys or other secrets while keeping them secure.