MySQL Shell 9.4
To make working with MySQL Shell more fluent and secure you can persist the password for a server connection using a secret store, such as a keychain. You enter the password for a connection interactively and it is stored with the server URL as credentials for the connection. For example:
mysql-js>\connect user@localhost:3310Creating a session to 'user@localhost:3310' Please provide the password for 'user@localhost:3310':********Save password for 'user@localhost:3310'? [Y]es/[N]o/Ne[v]er (default No):y
Once the password for a server URL is stored, whenever MySQL Shell opens a session it retrieves the password from the configured Secret Store Helper to log in to the server without having to enter the password interactively. The same holds for a script executed by MySQL Shell. If no Secret Store Helper is configured the password is requested interactively.
MySQL Shell only persists the server URL and password through the means of a Secret Store and does not persist the password on its own.
Passwords are only persisted when they are entered manually. If a password is provided using either a server URI-like connection string or at the command line when running mysqlsh it is not persisted.
The maximum password length that is accepted for connecting to MySQL Shell is 128 characters.
MySQL Shell provides built-in support for the following Secret Stores:
MySQL login-path, which is available on all platforms
supported by the MySQL server. It is provided by the MySQL
configuration utility mysql_config_editor
which offers persistent storage. See
mysql_config_editor — MySQL Configuration Utility. Linux builds of
MySQL Shell bundle mysql_config_editor so
that the functionality can be used if the MySQL client package
is not installed on the system.
macOS keychain, see here.
Windows API, see here.
When MySQL Shell is running in interactive mode, password retrieval is performed whenever a new session is initiated and the user is going to be prompted for a password. Before prompting, the Secret Store Helper is queried for a password using the session's URL. If a match is found this password is used to open the session. If the retrieved password is invalid, a message is added to the log, the password is erased from the Secret Store and MySQL Shell prompts you for a password.
If MySQL Shell is running in noninteractive mode (for example
--no-wizard was used), password
retrieval is performed the same way as in interactive mode. But in
this case, if a valid password is not found by the Secret Store
Helper, MySQL Shell tries to open a session without a password.
The password for a server URL can be stored whenever a successful
connection to a MySQL server is made and the password was not
retrieved by the Secret Store Helper. The decision to store the
password is made based on the
credentialStore.savePasswords and
credentialStore.excludeFilters described here.
Automatic password storage and retrieval is performed when:
mysqlsh is invoked with any connection options, when establishing the first session
you use the built-in \connect command
you use the shell.connect() method
you use any AdminAPI methods that require a connection