MySQL Shell 8.0  /  Getting Started with MySQL Shell  /  Pluggable Password Store

4.4 Pluggable Password Store

To make working with MySQL Shell more fluent and secure you can persist the password for a server connection using a secret store, such as a keychain. You enter the password for a connection interactively and it is stored with the server URL as credentials for the connection. For example:

mysql-js> \connect user@localhost:3310
Creating a session to 'user@localhost:3310'
Please provide the password for 'user@localhost:3310': ********
Save password for 'user@localhost:3310'? [Y]es/[N]o/Ne[v]er (default No): y

Once the password for a server URL is stored, whenever MySQL Shell opens a session it retrieves the password from the configured Secret Store Helper to log in to the server without having to enter the password interactively. The same holds for a script executed by MySQL Shell. If no Secret Store Helper is configured the password is requested interactively.

Important

MySQL Shell only persists the server URL and password through the means of a Secret Store and does not persist the password on its own.

Passwords are only persisted when they are entered manually. If a password is provided using either a server URI-like connection string or at the command line when running mysqlsh it is not persisted.

The maximum password length that is accepted for connecting to MySQL Shell is 128 characters.

MySQL Shell provides built-in support for the following Secret Stores:

  • MySQL login-path, which is available on all platforms supported by the MySQL server. It is provided by the MySQL configuration utility mysql_config_editor which offers persistent storage. See mysql_config_editor — MySQL Configuration Utility. In releases before MySQL Shell 8.0.30, mysql_config_editor is available as long as the MySQL client package is installed on the system. From MySQL Shell 8.0.30, Linux builds of MySQL Shell bundle mysql_config_editor so that the functionality can be used if the MySQL client package is not installed on the system.

  • macOS keychain, see here.

  • Windows API, see here.

When MySQL Shell is running in interactive mode, password retrieval is performed whenever a new session is initiated and the user is going to be prompted for a password. Before prompting, the Secret Store Helper is queried for a password using the session's URL. If a match is found this password is used to open the session. If the retrieved password is invalid, a message is added to the log, the password is erased from the Secret Store and MySQL Shell prompts you for a password.

If MySQL Shell is running in noninteractive mode (for example --no-wizard was used), password retrieval is performed the same way as in interactive mode. But in this case, if a valid password is not found by the Secret Store Helper, MySQL Shell tries to open a session without a password.

The password for a server URL can be stored whenever a successful connection to a MySQL server is made and the password was not retrieved by the Secret Store Helper. The decision to store the password is made based on the credentialStore.savePasswords and credentialStore.excludeFilters described here.

Automatic password storage and retrieval is performed when:

  • mysqlsh is invoked with any connection options, when establishing the first session

  • you use the built-in \connect command

  • you use the shell.connect() method

  • you use any AdminAPI methods that require a connection