Automation editor revealing secrets in automations.yaml

I’m trying to setup some automations to send a Telegram notification on camera motion.

When I try to use the automation editor to define the data section for the service call, it fails to store the secret correctly in automations.yaml.

Example:
Automation editor:

caption: Motion Detected - Garage Back
password: !secret cam_password
url: 'http://example/Streaming/channels/1/picture'
username: admin

what gets saved in automations.yaml (notice the password is empty now)

  data:
      caption: Motion Detected - Garage Back
      password: 
      url: http://example/Streaming/channels/1/picture
      username: admin
      service: telegram_bot.send_photo

If I then edit the automations.yaml and add the secret manually it works.

Example:

  data:
      caption: Motion Detected - Garage Back
      password: !secret cam_password
      url: http://example/Streaming/channels/1/picture
      username: admin
      service: telegram_bot.send_photo

But then if I go back to the automations editor and edit any automation using the front end, it will replace/ expose all my secrets with actual passwords in automations.yaml.

Example:

  data:
      caption: Motion Detected - Garage Back
      password: actualPassword
      url: http://example/Streaming/channels/1/picture
      username: admin
      service: telegram_bot.send_photo

Is this a bug? Has anyone else come across this?

Cheers.

Definitely a bug then. Cheers.

I commented on the Github issue but will also comment here. It seems to be considered a frontend issue, but the issues relating to this are closed.

Last comment I read was that “it would require a lot of work to add support for it.”, and a work-around which separates automations into two files - one which uses the editor, another with secrets which does not (https://github.com/home-assistant/frontend/issues/3065#issuecomment-591397887).

With the latest release adding notifications for pwned passwords, I find it surprising that this issues is still not resolved.
I have avoided checking in my automation config to source control due to this issue as every password in the automations.yaml get exposed when I use the front end to edit an automation.

Did anyone find a good workaround for this?
Cheers.

I must agree. I do understand that by placing the password in the secret folder it doesn’t really give you any strengthen security, but it definitely avoid copy pasting passwords by mistakes.

My problem is also I use the !secret a lot, so I’m surprised the github issue also has been closed?