`vcert getcred` does not prompt for password when stdout is redirected

[Carles-Figuerola]

PROBLEM SUMMARY When the stdout is redirected (for example on a script), the password prompt for vcert getcred does not show up.

STEPS TO REPRODUCE Normal usage

vcert getcred -u $TPP_URL --username $USER --format json
Enter password for cfiguerola:****

vcert getcred -u $TPP_URL --username $USER --format json | jq .access_token
< does not show anything or return >

EXPECTED RESULTS The password prompt should still show up (maybe in stderr) and the output should be passed to stdout

ACTUAL RESULTS No progress, even putting the password blind does not work

ENVIRONMENT DETAILS N/A

COMMENTS/WORKAROUNDS As a workaround I can read the password and pass it as a parameter, but this shows the password in ps and it's less secure overall:

echo "Getting venafi token"
read -s -p "Password for $TPP_USER: " TPP_PASSWORD
TOKEN=$(vcert getcred \
  -u $TPP_URL \
  --username $TPP_USER \
  --password "$TPP_PASSWORD" \
  --format json | jq -r .access_token)

[tr1ck3r]

Reclassifying as an enhancement because the getcred action was not designed to support this use case. One of the major reasons that token authentication was introduced in TPP was to get away from API applications having access to username/password because a compromised username/password is capable of a lot more than a compromised token. The recommended model is one where an access token and (ideally) a refresh token are obtained for an application out-of-band rather than as part of any kind of startup script that relies on username/password.

[Carles-Figuerola]

That does make sense, I guess there's not a lot of difference from this to using the --tpp-user in the enroll command, which is deprecated

[rvelaVenafi]

Username/ password authentication has been long deprecated and will not be available starting with TPP 24.1 We are not going to work on this issue.