This is bit of a rant on software usability and security. CLIs like kubectl/awscli/<add your critical tool here> don't use keyring to store credentials, instead using plain text files. Besides requiring me to retype passwords over and over.<p>Any good reason to avoid keyring? Please enlighten me<p>FYI: I've learned today that poetry (the python thing) uses keyring for credentials. Good job!
Might be a bit of a chicken-and-egg-thing but the org.freedesktop.secrets options on Linux are still not satisfactory and a blocker for adoption IMO.<p>AFAIK the only mature enough implementations are those available in linux repos, namely gnome-keyring, kwallet (KDE), and keepassxc. So it's not really an option for many use-cases. Backups and syncing are hacky or badly supported and documented. Granular control likewise. I don't recall the details right now but IIRC the API itself had some problematic and/or annoying aspect to it when I looked into it. I also suspect that for many, dbus does not spark joy and relying on it for secrets is not attractive.<p>There are some early implementations I'm aware of that might work in practice and with enough engagement could become viable:<p><pre><code> https://github.com/yousefvand/secret-service
https://github.com/mdellweg/pass_secret_service
https://github.com/nullobsi/pass-secrets
</code></pre>
I'm also keeping an eye out on Himitsu, which I guess you could say is attempting a more holistic approach: <a href="https://himitsustore.org/" rel="nofollow">https://himitsustore.org/</a>
Don't know about kube, but awscli and a few others decouple the idea of getting credentials and doing the actions. You <i>can</i> use the password directly through them every time, but a better way is to either use the preconfigured profile or some wrapper which does use the keychain. For example <a href="https://github.com/99designs/aws-vault/">https://github.com/99designs/aws-vault/</a> supports one-off commands and shell sessions with pre-populated tokens. There's also similar cf-vault.<p>Terraform also can be configured to use environment variables (and I'm sure other utilities) which allows similar "use a separate tool for creds" approach.<p>(kube apparently has <a href="https://github.com/chrisns/kubectl-passman">https://github.com/chrisns/kubectl-passman</a>)
At least with gnome-keyring, it doesn't seem able to limit keyring access to only "good" program executables (how would it identify them? And their linked libs...), so using the keyring won't give much security benefit?