Headless token refresh or headless setup of encrypted configuration


Thanks for all the great work on rclone!

I am wondering if there is any way to trigger a token refresh from a wrapper script and get the new token via stdout. I understand I can run a simple command and rclone will often do a token refresh if the access token has expired but I cannot figure out how to capture the new token without opening the config file, which for my application, does not exist, since I am trying to use the environment variable configuration approach. Basically, I don’t want the tokens to ever be written to the disk in plaintext but I would like to be able to refresh tokens for storage backends that require that.

Alternatively, I would be willing to use the encrypted configuration approach and allow rclone to write the new refreshed token to the disk. Unfortunately, I cannot figure out any way to script the setup of a new encrypted configuration file. Trying to script the answers to the “rclone config” command have proved unsuccessful when there is a password prompt as part of the setup.

Basically, I’m trying to figure out one of two things (either approach is fine):

  1. How do I refresh a google drive or dropbox token (arbitrary Oauth rclone backend) using the environment variable configuration approach


  1. How to I setup a brand new encrypted config file, supplying the new encryption password from a wrapping application. I know how to provide the encrypted config file password via an environment variable (RCLONE_CONFIG_PASS) but I don’t know how to setup a new encrypted config file, using only environment variables or via the remote control console.

Is there a way to do either of these things?

Thanks in advance!

You can’t capture it via an environment variable as children can’t set variables in the parent.

It has to be written somewhere (stdout or disk) for the parent to read it.

That seems like it should be possible, but it doesn’t work - this creates an unencrypted config file.

RCLONE_CONFIG_PASS=password rclone --config /tmp/config config update newremote type drive

That is quite possibly a bug and if it was fixed then it would do what you want - does that sound OK? If so then please make a new issue on github and we can see about fixing it :slight_smile:

1 Like

This solution sounds great! Thanks for your reply, I will file a new issue on github right away.

This does not solve the potential problem of changing the configuration encryption password programatically but that is a less urgent problem, since one could in theory, just dump the entire config (using rclone config show), create a new config file with a new password and set it up again, piece by piece (using rclone config update).

Thanks again for your response.

Filed this issue here:

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.