Hello Matthew
What you state is very logical, it seems redundant to need to specify a password for the SHA-256 and then to need to specify a keychain password as well. However, this is the methodology used to configure SHA-256.
In order to specify a key-chain, you must first specify the authentication mode. And in order to specify the hmac-sha-256 mode, you must specify a password. (If you choose the MD5 method, you don’t specify a password, but you must employ the key-chain). If you choose to use the key-chain method, then once that is configured, the key-chain password supersedes the hmac-sha-256 password.
It’s just the way that the SHA-256 authentication has been designed. Cisco documentation actually seems to support not using the key-chain method, as the SHA-256 password is considered equally secure:
I hope this has been helpful!
Laz