Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

How to pull a password from Keychain to use in a script Apps
Quite some time ago, I needed to create a script which would mount a network volume. I did not want to hardcode username and password into the script, so I kept looking for ways to accomplish this using OS Xís built-in Keychain. The following example uses a script to mount a network volume, using variables for the currently logged-in user, and fetches its password from the Keychain. Of course, you can do other things with this approach, so I figured it might be of use to someone out there.

The following is a combination of these 2 links:

This script gets the password for the currently logged in user and pulls its password from the Keychain. It then mounts a share using the variables without hardcoded username/password. The mount point is not in /Volumes on purpose, because mounting the volume would not work for User B when Fast User Switching is in use and User A remains logged in without having unmounted the volume. echo $USER gets the username of the currently logged in user.
$(get_pw) contains the password retrieved from the userís keychain.

In this case I am mounting an AFP volume, but it could be any other protocol, as well as something completely different which has nothing to do with mounting volumes.

get_pw () {
  security 2>&1 >/dev/null find-generic-password -ga $USER 
  |ruby -e 'print $1 if STDIN.gets =~ /^password: "(.*)"$/'
mkdir ~/Data
mount -t afp afp://$USER:$(get_pw)@ ~/Data
Before running this script you have to create a new entry using Keychain Access with the username and its (server) password.

The steps are as follows:

Manually create a Keychain entry for the AFP user account. To do so open Keychain and hit cmd+n. Keychain Item Name does not matter, but Account and Password have to be filled out with the userís username+password. That is the login info of the AFP account on the server!

Then create a shell script the way you prefer. I usually use pico, but thereís also a "run shell script" workflow in Automator if you want to use it. The script is shown above. Hereís a short explanation of whatís happening in the script:

We issue the security command which itself is able to read info from the keychain. It fills the variable $get_pw with the password it retrieved from the keychain. Thatís why you need to create the keychain entry mentioned above. Instead of hardcoding which userís password to get we use another variable called $USER. This always represents the currently logged in user (try echo $USER in Terminal as an example). In the next step we create the mount point, but instead of the default location (/Volumes) we use ~/ to ensure the mount point is inside the user home. This prevents the mount point from being already in use when using Fast User Switching. The last step then mounts the desired share using both variables. In my case that is the share Data on the server which will be mounted at ~/Data.

In order for this to work you need to use network user accounts (Open Directory, LDAP, Active Directory, etc.) OR have to use the exact same username (password does not matter) for the local account and the account on the afp server. That is because $USER will always return the currently logged in userís name which will be the local account if you are not using network accounts. In my case it was perfect that way, because I use network accounts anyway. You could always replace $USER in the script with jon.doe while losing the flexibility of the solution. I wanted a script without hardcoded usernames or passwords which could get the needed information dynamically from the keychain, which is exactly what this does.
  • Currently 3.17 / 5
  You rated: 5 / 5 (6 votes cast)

How to pull a password from Keychain to use in a script | 4 comments | Create New Account
Click here to return to the 'How to pull a password from Keychain to use in a script' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
How to pull a password from Keychain to use in a script
Authored by: szedula on Jul 24, '13 07:26:08PM

In csh or tcsh, this could be done as:

set sys=""
set pw = `security find-generic-password -ga $USER |& grep password | awk '{print $2}' | sed -e s/\"//g`
if (! -d $HOME/Data) mkdir $HOME/Data
mount -t afp afp://${USER}:$pw@$sys/Data $HOME/Data

Things I noted while playing with this:
+ The mounted volume also shows up on the Desktop, but I guess that is because my Finder preferences include "Connected server" under "Show these items on the desktop", "df" reports the mount is in my home directory not in "/Volumes" as desired
+ "$HOME/Data" becomes an alias that eventually goes back to being a folder after unmounting.
+ Avoids something like "/Volumes/Data" and "/Volumes/Data-1" if I mount a shared volume with the same name as a volume on my system. But doesn't solve the confusion in Applescripts. Still can't tell the difference between the two mounted volumes with the same name. Both are treated as something like: of disk "Data"
+ Learned the "|&" in csh or tcsh combines "stdout" and "stderr"

Tested with: Mac OS X 10.6.8

[ Reply to This | # ]
How to pull a password from Keychain to use in a script
Authored by: sr105 on Jul 25, '13 04:48:01PM

Your command could be simplified to:
security ... | sed -En '/^password: / s,^password: "(.*)"$,\1,p'

# No if() required:
mkdir -p $HOME/Data

Update: or as martin suggested, use -w with security.

Edited on Jul 25, '13 04:51:37PM by sr105

[ Reply to This | # ]
How to pull a password from Keychain to use in a script
Authored by: martinv2 on Jul 24, '13 09:29:43PM

Thanks for pointing out the security command. Just looked into the documentation, and I think security find-generic-password's -w switch could replace -g and the ruby/awk magic. Not tested, though.

[ Reply to This | # ]
How to pull a password from Keychain to use in a script
Authored by: mike_savory on Jul 25, '13 05:23:10PM

Yes, this just gives you the password, no grep/awk/sed required.

$ security find-generic-password -wa $USER

Or if you wanted to stay with the original and just use AWK (like the previous poster used SED) then this also works with Bash (just for info, and because I like AWK)

$ security find-generic-password -ga $USER 2>&1 | awk 'BEGIN{FS="\042"} /password/ {print $2}'

It tells AWK to use " as a field separator (the FS = 042 bit) matches the password line and prints the second item on that line, using " to count items


[ Reply to This | # ]