feat(auth/ldap): allow passing the LDAP password via an env var (#18225)

* feat(auth/ldap): allow passing the LDAP password via an environment variable when authenticating via the CLI

* chore(auth/ldap): add changelog entry for PR 18225

builtin/credential/ldap/cli.go

@@ -26,12 +26,15 @@ func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, erro
 	}
 	password, ok := m["password"]
 	if !ok {
-		fmt.Fprintf(os.Stderr, "Password (will be hidden): ")
+		password = passwordFromEnv()
-		var err error
+		if password == "" {
-		password, err = pwd.Read(os.Stdin)
+			fmt.Fprintf(os.Stderr, "Password (will be hidden): ")
-		fmt.Fprintf(os.Stderr, "\n")
+			var err error
-		if err != nil {
+			password, err = pwd.Read(os.Stdin)
-			return nil, err
+			fmt.Fprintf(os.Stderr, "\n")
+			if err != nil {
+				return nil, err
+			}
 		}
 	}
 
@@ -70,8 +73,9 @@ Usage: vault login -method=ldap [CONFIG K=V...]
 Configuration:
 
   password=<string>
-      LDAP password to use for authentication. If not provided, the CLI will
+      LDAP password to use for authentication. If not provided, it will use
-      prompt for this on stdin.
+			the VAULT_LDAP_PASSWORD environment variable. If this is not set, the
+			CLI will prompt for this on stdin.
 
   username=<string>
       LDAP username to use for authentication.
@@ -89,3 +93,7 @@ func usernameFromEnv() string {
 	}
 	return ""
 }
+
+func passwordFromEnv() string {
+	return os.Getenv("VAULT_LDAP_PASSWORD")
+}

changelog/18225.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+auth/ldap: allow providing the LDAP password via an env var when authenticating via the CLI
+```