An icon, the pixelated head of a tyrannosaurus rex Alex Leighton

osx-keychain

Typed OCaml bindings to the macOS Keychain.

On GitHub

Background:

I use an AWS IAM credential to upload this website to S3 and trigger an Amplify deployment. At the moment it's sitting in a dotfile out in the open. I built this library because I'd like to keep the credential in the macOS keychain and have my site generator pull it out of the keychain when it's needed. I could not find a library on opam which provides this functionality.

It's possible to create a subprocess to use the security CLI access, but this introduces subprocess overhead and exposes the secret in the subprocess's standard out. I decided that osx-keychain should instead link directly against the <Security/Security.h> framework's SecItem* APIs and natively read and write secrets.

Example of retrieving a stored password:

Generic_password.get ~service:"my-app" ~account:"alice" ()
|> Result.get_ok
|> Option.iter print_endline

Devlog:

Coming soon...