stackitcloud · cgoetz-inovex · Apr 22, 2026 · Apr 9, 2026 · Apr 9, 2026 · Apr 14, 2026
@@ -22,7 +22,7 @@ stackit beta alb observability-credentials update CREDENTIAL_REF_ARG [flags]
 ```
   -d, --displayname string   Displayname for the credentials
   -h, --help                 Help for "stackit beta alb observability-credentials update"
-      --password string      Password. Can be a string or a file path, if prefixed with "@" (example: @./password.txt).
+      --password string      Password. Can be a string (deprecated) or a file path, if prefixed with '@' (example: @./secret.txt). Will be read from stdin when empty.
   -u, --username string      Username for the credentials
 ```
 

@@ -35,6 +35,7 @@ stackit beta cdn distribution create [flags]
       --blocked-ips strings                       Comma-separated list of IPv4 addresses to block (e.g., '10.0.0.8,127.0.0.1')
       --bucket                                    Use Object Storage backend
       --bucket-credentials-access-key-id string   Access Key ID for Object Storage backend
+      --bucket-password string                    Bucket-Password. Can be a string (deprecated) or a file path, if prefixed with '@' (example: @./secret.txt). Will be read from stdin when empty.
       --bucket-region string                      Region for Object Storage backend
       --bucket-url string                         Bucket URL for Object Storage backend
       --default-cache-duration string             ISO8601 duration string for default cache duration (e.g., 'PT1H30M' for 1 hour and 30 minutes)
@@ -44,6 +45,7 @@ stackit beta cdn distribution create [flags]
       --http-origin-request-headers strings       Origin request headers for HTTP backend in the format 'HeaderName: HeaderValue', repeatable. WARNING: do not store sensitive values in the headers!
       --http-origin-url string                    Origin URL for HTTP backend
       --loki                                      Enable Loki log sink for the CDN distribution
+      --loki-password string                      Loki-Password. Can be a string (deprecated) or a file path, if prefixed with '@' (example: @./secret.txt). Will be read from stdin when empty.
       --loki-push-url string                      Push URL for log sink
       --loki-username string                      Username for log sink
       --monthly-limit-bytes int                   Monthly limit in bytes for the CDN distribution

@@ -24,6 +24,7 @@ stackit beta cdn distribution update [flags]
       --blocked-ips strings                       Comma-separated list of IPv4 addresses to block (e.g., '10.0.0.8,127.0.0.1')
       --bucket                                    Use Object Storage backend
       --bucket-credentials-access-key-id string   Access Key ID for Object Storage backend
+      --bucket-password string                    Bucket-Password. Can be a string (deprecated) or a file path, if prefixed with '@' (example: @./secret.txt). Will be read from stdin when empty.
       --bucket-region string                      Region for Object Storage backend
       --bucket-url string                         Bucket URL for Object Storage backend
       --default-cache-duration string             ISO8601 duration string for default cache duration (e.g., 'PT1H30M' for 1 hour and 30 minutes)
@@ -33,6 +34,7 @@ stackit beta cdn distribution update [flags]
       --http-origin-request-headers strings       Origin request headers for HTTP backend in the format 'HeaderName: HeaderValue', repeatable. WARNING: do not store sensitive values in the headers!
       --http-origin-url string                    Origin URL for HTTP backend
       --loki                                      Enable Loki log sink for the CDN distribution
+      --loki-password string                      Loki-Password. Can be a string (deprecated) or a file path, if prefixed with '@' (example: @./secret.txt). Will be read from stdin when empty.
       --loki-push-url string                      Push URL for log sink
       --loki-username string                      Username for log sink
       --monthly-limit-bytes int                   Monthly limit in bytes for the CDN distribution

@@ -28,7 +28,7 @@ stackit beta intake user create [flags]
   -h, --help                    Help for "stackit beta intake user create"
       --intake-id string        The UUID of the Intake to associate the user with
       --labels stringToString   Labels in key=value format, separated by commas (default [])
-      --password string         Password for the user. Must contain lower, upper, number, and special characters (min 12 chars)
+      --password string         Password. Can be a string (deprecated) or a file path, if prefixed with '@' (example: @./secret.txt). Will be read from stdin when empty. Must contain lower, upper, number, and special characters (min 12 chars)
       --type string             Type of user. One of 'intake' (default) or 'dead-letter' (default "intake")
 ```
 

@@ -28,7 +28,7 @@ stackit beta intake user update USER_ID [flags]
   -h, --help                    Help for "stackit beta intake user update"
       --intake-id string        Intake ID
       --labels stringToString   Labels in key=value format, separated by commas. Example: --labels "key1=value1,key2=value2". (default [])
-      --password string         Password for the user. Must contain lower, upper, number, and special characters (min 12 chars)
+      --password string         Password. Can be a string (deprecated) or a file path, if prefixed with '@' (example: @./secret.txt). Will be read from stdin when empty. Must contain lower, upper, number, and special characters (min 12 chars)
       --type string             Type of user. One of 'intake' or 'dead-letter'
 ```
 

@@ -25,7 +25,7 @@ stackit load-balancer observability-credentials add [flags]
 ```
       --display-name string   Credentials display name
   -h, --help                  Help for "stackit load-balancer observability-credentials add"
-      --password string       Password. Can be a string or a file path, if prefixed with "@" (example: @./password.txt).
+      --password string       Password. Can be a string (deprecated) or a file path, if prefixed with '@' (example: @./secret.txt). Will be read from stdin when empty.
       --username string       Username
 ```
 

@@ -25,7 +25,7 @@ stackit load-balancer observability-credentials update CREDENTIALS_REF [flags]
 ```
       --display-name string   Credentials name
   -h, --help                  Help for "stackit load-balancer observability-credentials update"
-      --password string       Password. Can be a string or a file path, if prefixed with "@" (example: @./password.txt).
+      --password string       Password. Can be a string (deprecated) or a file path, if prefixed with '@' (example: @./secret.txt). Will be read from stdin when empty.
       --username string       Username
 ```
 

@@ -82,14 +82,15 @@ func NewCmd(params *types.CmdParams) *cobra.Command {
 			return outputResult(params.Printer, model, resp)
 		},
 	}
-	configureFlags(cmd)
+	configureFlags(cmd, params)
 	return cmd
 }
 
-func configureFlags(cmd *cobra.Command) {
+func configureFlags(cmd *cobra.Command, params *types.CmdParams) {
 	cmd.Flags().StringP(usernameFlag, "u", "", "Username for the credentials")
 	cmd.Flags().StringP(displaynameFlag, "d", "", "Displayname for the credentials")
-	cmd.Flags().Var(flags.ReadFromFileFlag(), passwordFlag, `Password. Can be a string or a file path, if prefixed with "@" (example: @./password.txt).`)
+	password := flags.SecretFlag(passwordFlag, params)
+	cmd.Flags().Var(password, passwordFlag, password.Usage())
 
 	cobra.CheckErr(flags.MarkFlagsRequired(cmd, displaynameFlag, usernameFlag))
 }
@@ -116,7 +117,7 @@ func parseInput(p *print.Printer, cmd *cobra.Command, inputArgs []string) inputM
 		Username:        flags.FlagToStringPointer(p, cmd, usernameFlag),
 		Displayname:     flags.FlagToStringPointer(p, cmd, displaynameFlag),
 		CredentialsRef:  &inputArgs[0],
-		Password:        flags.FlagToStringPointer(p, cmd, passwordFlag),
+		Password:        flags.SecretFlagToStringPointer(p, cmd, passwordFlag),
 	}
 
 	p.DebugInputModel(model)

@@ -30,12 +30,14 @@ const (
 	flagBucket                       = "bucket"
 	flagBucketURL                    = "bucket-url"
 	flagBucketCredentialsAccessKeyID = "bucket-credentials-access-key-id" //nolint:gosec // linter false positive
+	flagBucketPassword               = "bucket-password"
 	flagBucketRegion                 = "bucket-region"
 	flagBlockedCountries             = "blocked-countries"
 	flagBlockedIPs                   = "blocked-ips"
 	flagDefaultCacheDuration         = "default-cache-duration"
 	flagLoki                         = "loki"
 	flagLokiUsername                 = "loki-username"
+	flagLokiPassword                 = "loki-password"
 	flagLokiPushURL                  = "loki-push-url"
 	flagMonthlyLimitBytes            = "monthly-limit-bytes"
 	flagOptimizer                    = "optimizer"
@@ -119,20 +121,6 @@ func NewCmd(params *types.CmdParams) *cobra.Command {
 			if err != nil {
 				return err
 			}
-			if model.Bucket != nil {
-				pw, err := params.Printer.PromptForPassword("enter your secret access key for the object storage bucket: ")
-				if err != nil {
-					return fmt.Errorf("reading secret access key: %w", err)
-				}
-				model.Bucket.Password = pw
-			}
-			if model.Loki != nil {
-				pw, err := params.Printer.PromptForPassword("enter your password for the loki log sink: ")
-				if err != nil {
-					return fmt.Errorf("reading loki password: %w", err)
-				}
-				model.Loki.Password = pw
-			}
 
 			apiClient, err := client.ConfigureClient(params.Printer, params.CliVersion)
 			if err != nil {
@@ -161,11 +149,11 @@ func NewCmd(params *types.CmdParams) *cobra.Command {
 			return outputResult(params.Printer, model.OutputFormat, projectLabel, resp)
 		},
 	}
-	configureFlags(cmd)
+	configureFlags(cmd, params)
 	return cmd
 }
 
-func configureFlags(cmd *cobra.Command) {
+func configureFlags(cmd *cobra.Command, params *types.CmdParams) {
 	cmd.Flags().Var(flags.EnumSliceFlag(false, []string{}, sdkUtils.EnumSliceToStringSlice(cdn.AllowedRegionEnumValues)...), flagRegion, fmt.Sprintf("Regions in which content should be cached, multiple of: %q", cdn.AllowedRegionEnumValues))
 	cmd.Flags().Bool(flagHTTP, false, "Use HTTP backend")
 	cmd.Flags().String(flagHTTPOriginURL, "", "Origin URL for HTTP backend")
@@ -174,12 +162,16 @@ func configureFlags(cmd *cobra.Command) {
 	cmd.Flags().Bool(flagBucket, false, "Use Object Storage backend")
 	cmd.Flags().String(flagBucketURL, "", "Bucket URL for Object Storage backend")
 	cmd.Flags().String(flagBucketCredentialsAccessKeyID, "", "Access Key ID for Object Storage backend")
+	bucketPassword := flags.SecretFlag(flagBucketPassword, params)
+	cmd.Flags().Var(bucketPassword, flagBucketPassword, bucketPassword.Usage())
 	cmd.Flags().String(flagBucketRegion, "", "Region for Object Storage backend")
 	cmd.Flags().StringSlice(flagBlockedCountries, []string{}, "Comma-separated list of ISO 3166-1 alpha-2 country codes to block (e.g., 'US,DE,FR')")
 	cmd.Flags().StringSlice(flagBlockedIPs, []string{}, "Comma-separated list of IPv4 addresses to block (e.g., '10.0.0.8,127.0.0.1')")
 	cmd.Flags().String(flagDefaultCacheDuration, "", "ISO8601 duration string for default cache duration (e.g., 'PT1H30M' for 1 hour and 30 minutes)")
 	cmd.Flags().Bool(flagLoki, false, "Enable Loki log sink for the CDN distribution")
 	cmd.Flags().String(flagLokiUsername, "", "Username for log sink")
+	lokiPassword := flags.SecretFlag(flagLokiPassword, params)
+	cmd.Flags().Var(lokiPassword, flagLokiPassword, lokiPassword.Usage())
 	cmd.Flags().String(flagLokiPushURL, "", "Push URL for log sink")
 	cmd.Flags().Int64(flagMonthlyLimitBytes, 0, "Monthly limit in bytes for the CDN distribution")
 	cmd.Flags().Bool(flagOptimizer, false, "Enable optimizer for the CDN distribution (paid feature).")
@@ -229,11 +221,12 @@ func parseInput(p *print.Printer, cmd *cobra.Command, _ []string) (*inputModel,
 		bucketURL := flags.FlagToStringValue(p, cmd, flagBucketURL)
 		accessKeyID := flags.FlagToStringValue(p, cmd, flagBucketCredentialsAccessKeyID)
 		region := flags.FlagToStringValue(p, cmd, flagBucketRegion)
+		password := flags.SecretFlagToString(p, cmd, flagBucketPassword)
 
 		bucket = &bucketInputModel{
 			URL:         bucketURL,
 			AccessKeyID: accessKeyID,
-			Password:    "",
+			Password:    password,
 			Region:      region,
 		}
 	}
@@ -248,7 +241,7 @@ func parseInput(p *print.Printer, cmd *cobra.Command, _ []string) (*inputModel,
 		loki = &lokiInputModel{
 			Username: flags.FlagToStringValue(p, cmd, flagLokiUsername),
 			PushURL:  flags.FlagToStringValue(p, cmd, flagLokiPushURL),
-			Password: "",
+			Password: flags.SecretFlagToString(p, cmd, flagLokiPassword),
 		}
 	}
 

@@ -31,12 +31,14 @@ const (
 	flagBucket                       = "bucket"
 	flagBucketURL                    = "bucket-url"
 	flagBucketCredentialsAccessKeyID = "bucket-credentials-access-key-id" //nolint:gosec // linter false positive
+	flagBucketPassword               = "bucket-password"
 	flagBucketRegion                 = "bucket-region"
 	flagBlockedCountries             = "blocked-countries"
 	flagBlockedIPs                   = "blocked-ips"
 	flagDefaultCacheDuration         = "default-cache-duration"
 	flagLoki                         = "loki"
 	flagLokiUsername                 = "loki-username"
+	flagLokiPassword                 = "loki-password"
 	flagLokiPushURL                  = "loki-push-url"
 	flagMonthlyLimitBytes            = "monthly-limit-bytes"
 	flagOptimizer                    = "optimizer"
@@ -93,20 +95,6 @@ func NewCmd(params *types.CmdParams) *cobra.Command {
 			if err != nil {
 				return err
 			}
-			if model.Bucket != nil {
-				pw, err := params.Printer.PromptForPassword("enter your secret access key for the object storage bucket: ")
-				if err != nil {
-					return fmt.Errorf("reading secret access key: %w", err)
-				}
-				model.Bucket.Password = pw
-			}
-			if model.Loki != nil {
-				pw, err := params.Printer.PromptForPassword("enter your password for the loki log sink: ")
-				if err != nil {
-					return fmt.Errorf("reading loki password: %w", err)
-				}
-				model.Loki.Password = pw
-			}
 
 			apiClient, err := client.ConfigureClient(params.Printer, params.CliVersion)
 			if err != nil {
@@ -134,11 +122,11 @@ func NewCmd(params *types.CmdParams) *cobra.Command {
 			return outputResult(params.Printer, model.OutputFormat, projectLabel, resp)
 		},
 	}
-	configureFlags(cmd)
+	configureFlags(cmd, params)
 	return cmd
 }
 
-func configureFlags(cmd *cobra.Command) {
+func configureFlags(cmd *cobra.Command, params *types.CmdParams) {
 	cmd.Flags().Var(flags.EnumSliceFlag(false, []string{}, sdkUtils.EnumSliceToStringSlice(cdn.AllowedRegionEnumValues)...), flagRegions, fmt.Sprintf("Regions in which content should be cached, multiple of: %q", cdn.AllowedRegionEnumValues))
 	cmd.Flags().Bool(flagHTTP, false, "Use HTTP backend")
 	cmd.Flags().String(flagHTTPOriginURL, "", "Origin URL for HTTP backend")
@@ -147,12 +135,16 @@ func configureFlags(cmd *cobra.Command) {
 	cmd.Flags().Bool(flagBucket, false, "Use Object Storage backend")
 	cmd.Flags().String(flagBucketURL, "", "Bucket URL for Object Storage backend")
 	cmd.Flags().String(flagBucketCredentialsAccessKeyID, "", "Access Key ID for Object Storage backend")
+	bucketPassword := flags.SecretFlag(flagBucketPassword, params)
+	cmd.Flags().Var(bucketPassword, flagBucketPassword, bucketPassword.Usage())
 	cmd.Flags().String(flagBucketRegion, "", "Region for Object Storage backend")
 	cmd.Flags().StringSlice(flagBlockedCountries, []string{}, "Comma-separated list of ISO 3166-1 alpha-2 country codes to block (e.g., 'US,DE,FR')")
 	cmd.Flags().StringSlice(flagBlockedIPs, []string{}, "Comma-separated list of IPv4 addresses to block (e.g., '10.0.0.8,127.0.0.1')")
 	cmd.Flags().String(flagDefaultCacheDuration, "", "ISO8601 duration string for default cache duration (e.g., 'PT1H30M' for 1 hour and 30 minutes)")
 	cmd.Flags().Bool(flagLoki, false, "Enable Loki log sink for the CDN distribution")
 	cmd.Flags().String(flagLokiUsername, "", "Username for log sink")
+	lokiPassword := flags.SecretFlag(flagLokiPassword, params)
+	cmd.Flags().Var(lokiPassword, flagLokiPassword, lokiPassword.Usage())
 	cmd.Flags().String(flagLokiPushURL, "", "Push URL for log sink")
 	cmd.Flags().Int64(flagMonthlyLimitBytes, 0, "Monthly limit in bytes for the CDN distribution")
 	cmd.Flags().Bool(flagOptimizer, false, "Enable optimizer for the CDN distribution (paid feature).")
@@ -200,11 +192,12 @@ func parseInput(p *print.Printer, cmd *cobra.Command, inputArgs []string) (*inpu
 		bucketURL := flags.FlagToStringValue(p, cmd, flagBucketURL)
 		accessKeyID := flags.FlagToStringValue(p, cmd, flagBucketCredentialsAccessKeyID)
 		region := flags.FlagToStringValue(p, cmd, flagBucketRegion)
+		password := flags.SecretFlagToString(p, cmd, flagBucketPassword)
 
 		bucket = &bucketInputModel{
 			URL:         bucketURL,
 			AccessKeyID: accessKeyID,
-			Password:    "",
+			Password:    password,
 			Region:      region,
 		}
 	}
@@ -219,7 +212,7 @@ func parseInput(p *print.Printer, cmd *cobra.Command, inputArgs []string) (*inpu
 		loki = &lokiInputModel{
 			Username: flags.FlagToStringValue(p, cmd, flagLokiUsername),
 			PushURL:  flags.FlagToStringValue(p, cmd, flagLokiPushURL),
-			Password: "",
+			Password: flags.SecretFlagToString(p, cmd, flagLokiPassword),
 		}
 	}
 

@@ -101,14 +101,15 @@ func NewCmd(p *types.CmdParams) *cobra.Command {
 			return outputResult(p.Printer, model, projectLabel, resp)
 		},
 	}
-	configureFlags(cmd)
+	configureFlags(cmd, p)
 	return cmd
 }
 
-func configureFlags(cmd *cobra.Command) {
+func configureFlags(cmd *cobra.Command, params *types.CmdParams) {
 	cmd.Flags().String(displayNameFlag, "", "Display name")
 	cmd.Flags().Var(flags.UUIDFlag(), intakeIdFlag, "The UUID of the Intake to associate the user with")
-	cmd.Flags().String(passwordFlag, "", "Password for the user. Must contain lower, upper, number, and special characters (min 12 chars)")
+	password := flags.SecretFlag(passwordFlag, params)
+	cmd.Flags().Var(password, passwordFlag, password.Usage()+" Must contain lower, upper, number, and special characters (min 12 chars)")
 	cmd.Flags().String(userTypeFlag, string(intake.USERTYPE_INTAKE), "Type of user. One of 'intake' (default) or 'dead-letter'")
 	cmd.Flags().String(descriptionFlag, "", "Description")
 	cmd.Flags().StringToString(labelsFlag, nil, "Labels in key=value format, separated by commas")
@@ -127,7 +128,7 @@ func parseInput(p *print.Printer, cmd *cobra.Command) (*inputModel, error) {
 		GlobalFlagModel: globalFlags,
 		DisplayName:     flags.FlagToStringPointer(p, cmd, displayNameFlag),
 		IntakeId:        flags.FlagToStringPointer(p, cmd, intakeIdFlag),
-		Password:        flags.FlagToStringPointer(p, cmd, passwordFlag),
+		Password:        flags.SecretFlagToStringPointer(p, cmd, passwordFlag),
 		UserType:        flags.FlagToStringPointer(p, cmd, userTypeFlag),
 		Description:     flags.FlagToStringPointer(p, cmd, descriptionFlag),
 		Labels:          flags.FlagToStringToStringPointer(p, cmd, labelsFlag),