CLI tool with access to connection strings?
So, I have a normal web API with auth setup. There are different roles, and you can authenticate with a bearer token, standard stuff.
I also have a CLI tool used by system admins, that is able to use the API - it just asks the CLI user for a username/pw and authenticates with the API and saves the bearer and refresh tokens to be reused for a while.
The issue now is that I would like the CLI to be able to access some services/databases without having to go through the API. And I cannot really figure out a good/secure way of doing this. Unlike the API token, the connection strings will not expire so I do not want to save them anywhere on the CLI computer.
So what would be a good way of doing this?
My ideas (and why i dont like it)
- Let the API expose the functionality that the CLI wants to perform, and just call the API instead of going directly from CLI to database/service. (I don't want to burden the API with both the extra code and the performance load that this will do)
- Return the connection strings from an API endpoint, in some encrypted format that can be saved safely to disk by the CLI and reused, preferably with some sort of expiry time (i have no idea how)
I also have a CLI tool used by system admins, that is able to use the API - it just asks the CLI user for a username/pw and authenticates with the API and saves the bearer and refresh tokens to be reused for a while.
The issue now is that I would like the CLI to be able to access some services/databases without having to go through the API. And I cannot really figure out a good/secure way of doing this. Unlike the API token, the connection strings will not expire so I do not want to save them anywhere on the CLI computer.
So what would be a good way of doing this?
My ideas (and why i dont like it)
- Let the API expose the functionality that the CLI wants to perform, and just call the API instead of going directly from CLI to database/service. (I don't want to burden the API with both the extra code and the performance load that this will do)
- Return the connection strings from an API endpoint, in some encrypted format that can be saved safely to disk by the CLI and reused, preferably with some sort of expiry time (i have no idea how)
