Problem:
I would like to use python's keyring
library in a headless Linux environment, specifically a Debian 9 GCP compute instance. I have a cron job that wakes up every so often to run a python script (... which utilizes keyring to retrieve passwords to various resources).
The problem is that the python script will prompt for the user's keyring
password before allowing the python script to proceed. This does not work as the script is executed as a background cron process. Interestingly, running this same script in a Windows environment is not an issue, presumably because the process (user) is already authenticated.
Research:
I've only found one StackOverflow post (here) and the official online documentation (here - 'Using Keyring on headless Linux systems') that has a short section on how to run keyring in a headless linux environment.
The StackOverflow post covers how to do this with pgcli
, but not any arbitrary command line tool (e.g. my python script), thus I did not find it helpful.
Similarly, I have not been able to successfully reproduce the steps (it feels like there are steps missing?) in the doc to effect. Explicitly, after doing dbus-run-session -- sh
, I run gnome-keyring-daemon --unlock
, but the dbus-run-session just appears to hang and does not appear to execute anything).
Questions:
1) Does anyone have, can provide clear instructions on how to run keyring
in a headless Debian Linux environment, given my above scenario? Explicitly - no password prompting. I would really appreciate very explicit, step by step instructions if possible.
2) If not, I am using keyring
to retrieve passwords to various resources (e.g. postgres, remote API keys, etc.). I was hoping to secure these in a keyring, but if not possible what would be the recommended alternative? I read a few StackOverflow posts on storing data such as this in environment variables, but that is not recommended. I also feel that creating a config file and then encrypting it seems heavy.
Any help is appreciated. Thank you kindly -
I've just tried it the instructions you pointed to and they worked. gnome-keyring-daemon --unlock
is not hanging, it's reading your password from stdin, i.e. you need to finish your password with enter and press Ctrl-D. The newline you've entered thus does not appear to become part of the password.
It seems that the first time you run it, you are setting the password. On subsequent runs there is no feedback by gnome-keyring-daemon if the password should be wrong, but obviously your program will not be able to connect later.