Starting with vss-cli v2025.10.0, credential storage has been upgraded to use secure backends instead of legacy base64-encoded entries in your configuration file.
This improves the overall security of the ITS Private Cloud Command Line Interface by ensuring your credentials are no longer stored in plaintext or easily decodable form.
This article explains how to migrate your credentials automatically or manually, and how to validate or roll back the migration if needed.
Prerequisites
Before running the migration, make sure:
You’ve updated to vss-cli v2025.10.0
You have macOS Keychain or 1Password available (recommended)
You have access to your existing
config.yamlfile
Instructions
Automatic Migration (Recommended). When you run the updated vss-cli for the first time, it automatically detects old credentials and initiates the migration. You’ll see a message like:
Detected legacy base64 credentials. Migrating to secure storage...
Manual Migration (Optional). If you prefer to run the migration yourself, use the following command:
vss-cli configure migrate-credentials
Understand the Migration Process. When you run the command, vss-cli performs these steps:
Detects legacy base64-encoded credentials
Creates a backup of your configuration file
Stores credentials securely (Keychain, 1Password, or AES-256-GCM)
Removes the auth field from config.yaml
Validates that the new credentials are accessible
Validate Migration. Once migration completes, validate that your credentials work properly:
vss-cli configure migrate-credentials --validate
Rollback if needed:
If something goes wrong, you can restore your previous configuration:
vss-cli configure migrate-credentials --rollback
Related articles