vault auth should not show token in output

[blalor]

The vault auth command returns the token to the console. This strikes me as an anti-pattern, especially when users don't grasp the importance and sensitivity of the Vault token: I've had more than one user share the output of vault auth with others.

[jefferai]

What do you suggest should be done instead? While we could probably add a flag to suppress this output, novice users won't know to use it anyways.

[andrewsav-bt]

@jefferai I'd like a flag, so it's not stored in the log. I'm using vault CLI as part of a provisioning process that kicks off from TeamCity powershell script. TeamCity collects stdout / stderr to execution log. This information is valuable in case vault auth command fails for any reason. However, storing the succesfully generating token in the log file is something that I'd like to avoid. Currently it's quite binary, I can suppress the whole output (/dev/null) or I can include the whole output, including the token. I'd like to have a middle ground.

[jefferai]

I don't understand what you're asking for. The auth command is meant to be interactive. If it's not printed, what is the behavior you're looking for? Why not just use the API directly in that case?

[AndrewSav]

@jefferai

I don't understand what you're asking for.

I'm supporting your idea of adding a flag to suppress the output of the token.

Why not just use the API directly in that case?

Vault cli is easy to use. Calling API directly with powershell can be problematic (not many examples around the net, not easy to get support, since it's not a mainstream use case) the powershell wrapper is less then ideal, since it tries to mimic the cli, which in my view a bit pointless.

[jefferai]

The output of the command is easily suppressed via normal shell mechanisms.

[ericfrederich]

Can we re-open this issue until there is documentation for this? The documentation for login doesn't mention this feature.

[jefferai]

It's in the output of vault login -h. I'll add it to the docs though, no need to reopen.

[tino]

What is the use of Token (will be hidden): that is displayed, when the token is echoed right back at you.

I would say hiding this should be the default. Usually you don't care about the token, as it is stored for you and you can interact with vault without actually knowing or accessing it.

[wernerfred]

100% agree. It is really confusing seeing the extra added message (will be hidden) but then printing it directly after hitting enter 😕 💻

[modbender]

Is it possible to login silently?