Command
Command authentication profiles allow you to retrieve credentials dynamically by executing shell commands. This enables integration with external secret managers like 1Password CLI, HashiCorp Vault, AWS Secrets Manager, and any custom credential retrieval scripts.
Key Benefits
Section titled “Key Benefits”- Secret Manager Integration: Connect to 1Password, Vault, AWS Secrets Manager, etc.
- Dynamic Credentials: Retrieve fresh credentials on each connection
- Custom Scripts: Use any script or CLI tool that outputs credentials
- Environment Variables: Connection details are available as environment variables
- Credential Caching: Optional caching to reduce secret manager calls
Configuration Options
Section titled “Configuration Options”Command
Section titled “Command”The shell command to execute. Connection configuration values are available as environment variables:
| Variable | Description |
|---|---|
${host} | Database host |
${port} | Database port |
${database} | Database name |
${name} | Connection name |
${driver} | Database driver type |
Output Format
Section titled “Output Format”Text Output
- Password only: Command outputs just the password
- Username:Password: Command outputs
username:passwordseparated by colon
JSON Output
- Parse structured JSON with configurable field paths
- Supports nested paths like
data.credentials.password
Credential Caching
Section titled “Credential Caching”| Mode | Description |
|---|---|
| No caching | Execute command every time |
| Fixed TTL | Cache for specified duration (seconds) |
| From output | Use expiry timestamp from JSON output |
Example Commands
Section titled “Example Commands”Here are example commands for popular secret managers:
1Password CLI
Section titled “1Password CLI”op read "op://Private/PostgreSQL Production/password"HashiCorp Vault
Section titled “HashiCorp Vault”vault kv get -format=json secret/databases/production | jq -r '.data.data'Use JSON output format with username and password fields.
AWS Secrets Manager
Section titled “AWS Secrets Manager”aws secretsmanager get-secret-value --secret-id prod/db/credentials --query SecretString --output textUse JSON output format to parse the returned secret.
Azure Key Vault
Section titled “Azure Key Vault”az keyvault secret show --vault-name my-vault --name db-password --query value -o tsvBitwarden CLI
Section titled “Bitwarden CLI”bw get password database-productionDoppler
Section titled “Doppler”doppler secrets get DB_PASSWORD --plainCustom Script
Section titled “Custom Script”Your script receives connection details as environment variables:
#!/bin/bash# Available: DB_HOST, DB_PORT, DB_DATABASE, DB_NAME, DB_DRIVERecho "{\"user\": \"app_${DB_DATABASE}\", \"pass\": \"$(fetch_password $DB_HOST)\"}"JSON Output Format
Section titled “JSON Output Format”When using JSON output, your command should return a JSON object:
{ "username": "db_user", "password": "secret123", "expiresAt": 1699900000000}Nested Fields
Section titled “Nested Fields”Use dot notation for nested JSON paths. For example, if your command returns:
{ "data": { "credentials": { "user": "admin", "pass": "secret" } }}Set the username field to data.credentials.user and password field to data.credentials.pass.
Advanced Options
Section titled “Advanced Options”- Timeout: Maximum time to wait for command to complete (default: 30 seconds)
- Working Directory: Directory where the command runs (defaults to workspace root)
Supported Databases
Section titled “Supported Databases”Command authentication profiles can be used with any database that supports username/password authentication:
- PostgreSQL, MySQL, MariaDB
- SQL Server, Oracle
- MongoDB
- And all other databases with password auth
Troubleshooting
Section titled “Troubleshooting””Command timed out”
Section titled “”Command timed out””Cause: Command took longer than the timeout setting.
Solutions:
- Increase the timeout value in advanced settings
- Ensure the secret manager CLI is responsive
- Check network connectivity to the secret manager
”Command failed with exit code X”
Section titled “”Command failed with exit code X””Cause: The command returned a non-zero exit code.
Solutions:
- Test the command manually in your terminal
- Check that the CLI tool is installed and authenticated
- Verify the secret path/name is correct
”Failed to parse JSON output”
Section titled “”Failed to parse JSON output””Cause: Command output is not valid JSON.
Solutions:
- Test the command manually and verify JSON output
- Ensure no extra text is output before/after the JSON
- Use
jqor similar tools to extract clean JSON
”Username/password field not found”
Section titled “”Username/password field not found””Cause: The specified JSON field path doesn’t exist in the output.
Solutions:
- Verify the JSON structure of your command output
- Check the field path for typos
- Use the correct dot notation for nested fields