Command

Command authentication profiles allow you to retrieve credentials dynamically by executing shell commands. This enables integration with external secret managers like 1Password CLI, HashiCorp Vault, AWS Secrets Manager, and any custom credential retrieval scripts.

Key Benefits

• Secret Manager Integration: Connect to 1Password, Vault, AWS Secrets Manager, etc.
• Dynamic Credentials: Retrieve fresh credentials on each connection
• Custom Scripts: Use any script or CLI tool that outputs credentials
• Environment Variables: Connection details are available as environment variables
• Credential Caching: Optional caching to reduce secret manager calls

Configuration Options

Command

The shell command to execute. Connection configuration values are available as environment variables:

Output Format

Text Output

• Password only: Command outputs just the password
• Username:Password: Command outputs username:password separated by colon

JSON Output

• Parse structured JSON with configurable field paths
• Supports nested paths like data.credentials.password

Credential Caching

Example Commands

Here are example commands for popular secret managers:

1Password CLI

op read "op://Private/PostgreSQL Production/password"

HashiCorp Vault

vault kv get -format=json secret/databases/production | jq -r '.data.data'

Use JSON output format with username and password fields.

AWS Secrets Manager

aws secretsmanager get-secret-value --secret-id prod/db/credentials --query SecretString --output text

Use JSON output format to parse the returned secret.

Azure Key Vault

az keyvault secret show --vault-name my-vault --name db-password --query value -o tsv

Bitwarden CLI

bw get password database-production

Doppler

doppler secrets get DB_PASSWORD --plain

Custom Script

Your script receives connection details as environment variables:

#!/bin/bash
# Available: DB_HOST, DB_PORT, DB_DATABASE, DB_NAME, DB_DRIVER
echo "{\"user\": \"app_${DB_DATABASE}\", \"pass\": \"$(fetch_password $DB_HOST)\"}"

JSON Output Format

When using JSON output, your command should return a JSON object:

{
  "username": "db_user",
  "password": "secret123",
  "expiresAt": 1699900000000
}

Nested Fields

Use dot notation for nested JSON paths. For example, if your command returns:

{
  "data": {
    "credentials": {
      "user": "admin",
      "pass": "secret"
    }
  }
}

Set the username field to data.credentials.user and password field to data.credentials.pass.

Advanced Options

• Timeout: Maximum time to wait for command to complete (default: 30 seconds)
• Working Directory: Directory where the command runs (defaults to workspace root)

Supported Databases

Command authentication profiles can be used with any database that supports username/password authentication:

• PostgreSQL, MySQL, MariaDB
• SQL Server, Oracle
• MongoDB
• And all other databases with password auth

Troubleshooting

”Command timed out”

Cause: Command took longer than the timeout setting.

Solutions:

• Increase the timeout value in advanced settings
• Ensure the secret manager CLI is responsive
• Check network connectivity to the secret manager

”Command failed with exit code X”

Cause: The command returned a non-zero exit code.

Solutions:

• Test the command manually in your terminal
• Check that the CLI tool is installed and authenticated
• Verify the secret path/name is correct

”Failed to parse JSON output”

Cause: Command output is not valid JSON.

Solutions:

• Test the command manually and verify JSON output
• Ensure no extra text is output before/after the JSON
• Use jq or similar tools to extract clean JSON

”Username/password field not found”

Cause: The specified JSON field path doesn’t exist in the output.

Solutions:

• Verify the JSON structure of your command output
• Check the field path for typos
• Use the correct dot notation for nested fields