okay so we we have the mongodump tool, it has --password option. Everything works great except this plain password is visible in ps output to everybody.
our database has plain user/password authentication.
The only thing that I found to work is doing like this
echo secretpwd | mongodump --username backup --oplog
no trace of password in ps and still working.
Is there any better way?
From the docs:
Changed in version 3.0.2: If you wish mongodump to prompt the user for the password, pass the --username option without --password or specify an empty string as the --password value, as in --password "" .
Seems like what you are doing is the recommended way.
Also, this can help further:
If the secret doesn't change between executions, use a special configuration file, ".appsecrets". Set the permissions of the file to be read-only by owner. Inside the file set an environment variable to the secret. The file needs to be in the home directory of the user running the command.