Is your feature request related to a problem? Please describe.

Builds that want to import from a URL that requires authentication currently have no good way to do this.

Workaround is to just run cURL in the run section instead, which loses caching and there's no good way to avoid leaking credentials in logs, assuming you've injected them via substitution or environment passthrough.

Describe the solution you'd like

A rough sketch - the idea being that credentials can be supplied via environment. they will be handled like substitutions but we could use a separate flag so we can track which ones we should mask in logs.

imports:
 - path: https://very-secure-server/oh.yeah
   hash: aaaaaaaaa
   username: ${{MYUSERNAME}}
   password: ${{CREDENTIAL_MYPASSWORD}}

stacker build --substitute MYUSERNAME=$USER --credential MYPASSWORD

Describe alternatives you've considered

No response

Additional context

No response