Pragmatism in the real world

Command line access to the Mac Keychain with keyring

While reading Alex Chan’s post about experimenting with the Flickr API, I noticed the call out to keyring by Jason Coombs for accessing the macOS Keychain.

The built-in app: security

The built-in way to access the keychain from the command line is /usr/bin/security:

To create a password:

$ security add-generic-password -s FlickrAPI -a rodeo -w redacted-key

Note that you need to include the password on the command line in clear test, so it’s now in your history unless you remembered to include a space before security.

Then, to retrieve it:

$ security find-generic-password -s FlickrAPI -a rodeo -w

Not especially difficult, but not the easiest to remember.

Keyring makes it simpler

To set a password using keyring:

$ keyring set FlickrAPI caledonia
Password for 'caledonia' in 'FlickrAPI': 

It doesn’t display your password as you enter it, so no history issues to worry about.

Again, retrieving is simpler too:

$keyring get FlickrAPI rodeo

Rather usefully, it also works on Windows and Linux in addition to Mac, utilising the appropriate backend. You can even use it with other backends.

As with Alex’s use-case, I can see how this is a nice tool for using in CLI scripts to get access to API keys or other secrets while keeping them secure.

Thoughts? Leave a reply

Your email address will not be published. Required fields are marked *