Securely pass credentials to command-line utility

curl -s 'https://api.cloudflare.com/client/v4/zones/{zone_identifier}/logpush/jobs' \
-H "X-Auth-Email: carl@example.com" \
-H "X-Auth-Key: abc123"

If I run this, the secret string abc123 leaks up in three places:

• Shell history
• Terminal output
• ps output

I can replace the hardcoded password with something like $(pass show cloudflare-api-key), in which case the password only leaks in ps output. This is still bad, as an unprivileged daemon on my machine could steal my credentials.

Is there a handy way to pass credentials to a command-line utility in an ad-hoc fashion such that the credential doesn't leak to ps either?

Curl can read flags from stdin, so assuming your password doesn't contain newlines:

pass show cloudflare-api-key \
  | sed -ne 's/"/\\"/g' -e '1s/.*/-H "X-Auth-Key: &"/p' \
  | curl -K- <other options>

Files in pass may include other fields below the password, so I made sure that sed only shows the first line. The sed expression is pretty simple: first we escape all of the double quotes inside the password, then we put the password inside curl -H option's argument. This can be easily extended to pull other fields, like email, from pass as well:

$ printf %s\\n '12"3' 'email: foo@bar.com' \
  | sed -ne 's/"/\\"/g' -e '1s/.*/-H "X-Auth-Key: &"/p' -e 's/^email: \(.*\)/-H "X-Auth-Email: "/p'
-H "X-Auth-Key: 12\"3"
-H "X-Auth-Email: foo@bar.com"