MySQL Shell 9.0  /  ...  /  Pluggable Password Configuration Options

4.4.1 Pluggable Password Configuration Options

To configure the pluggable password store, use the shell.options interface, see Section 13.4, “Configuring MySQL Shell Options” . The following options configure the pluggable password store.

shell.options.credentialStore.helper = "login-path"

A string which specifies the Secret Store Helper used to store and retrieve the passwords. By default, this option is set to a special value default which identifies the default helper on the current platform. Can be set to any of the values returned by shell.listCredentialHelpers() method. If this value is set to invalid value or an unknown Helper, an exception is raised. If an invalid value is detected during the startup of mysqlsh, an error is displayed and storage and retrieval of passwords is disabled. To disable automatic storage and retrieval of passwords, set this option to the special value <disabled>, for example by issuing:

shell.options.set("credentialStore.helper", "<disabled>")

When this option is disabled, usage of all of the credential store MySQL Shell methods discussed here results in an exception.

shell.options.credentialStore.savePasswords = "value"

A string which controls automatic storage of passwords. Valid values are:

  • always - passwords are always stored, unless they are already available in the Secret Store or server URL matches credentialStore.excludeFilters value.

  • never - passwords are not stored.

  • prompt - in interactive mode, if the server URL does not match the value of shell.credentialStore.excludeFilters, you are prompted if the password should be stored. The possible answers are yes to save this password, no to not save this password, never to not save this password and to add the URL to credentialStore.excludeFilters. The modified value of credentialStore.excludeFilters is not persisted, meaning it is in effect only until MySQL Shell is restarted. If MySQL Shell is running in noninteractive mode (for example the --no-wizard option was used), the credentialStore.savePasswords option is always never.

The default value for this option is prompt.

shell.options.credentialStore.excludeFilters = ["*@myserver.com:*"];

A list of strings specifying which server URLs should be excluded from automatic storage of passwords. Each string can be either an explicit URL or a glob pattern. If a server URL which is about to be stored matches any of the strings in this options, it is not stored. The valid wildcard characters are: * which matches any number of any characters, and ? which matches a single character.

The default value for this option is an empty list.