feat(auth/ldap): allow passing the LDAP password via an env var (#18225)

* feat(auth/ldap): allow passing the LDAP password via an environment variable when authenticating via the CLI

* chore(auth/ldap): add changelog entry for PR 18225

builtin/credential/ldap/cli.go

@@ -26,6 +26,8 @@ func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, erro
 	}
 	password, ok := m["password"]
 	if !ok {
+		password = passwordFromEnv()
+		if password == "" {
 			fmt.Fprintf(os.Stderr, "Password (will be hidden): ")
 			var err error
 			password, err = pwd.Read(os.Stdin)
@@ -34,6 +36,7 @@ func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, erro
 				return nil, err
 			}
 		}
+	}
 
 	data := map[string]interface{}{
 		"password": password,
@@ -70,8 +73,9 @@ Usage: vault login -method=ldap [CONFIG K=V...]
 Configuration:
 
   password=<string>
-      LDAP password to use for authentication. If not provided, the CLI will
+      LDAP password to use for authentication. If not provided, it will use
-      prompt for this on stdin.
+			the VAULT_LDAP_PASSWORD environment variable. If this is not set, the
+			CLI will prompt for this on stdin.
 
   username=<string>
       LDAP username to use for authentication.
@@ -89,3 +93,7 @@ func usernameFromEnv() string {
 	}
 	return ""
 }
+
+func passwordFromEnv() string {
+	return os.Getenv("VAULT_LDAP_PASSWORD")
+}

changelog/18225.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+auth/ldap: allow providing the LDAP password via an env var when authenticating via the CLI
+```