Configured credstash but still insists on secrets.yaml

Hi all.
I’m new here and still getting my head around/being delighted by Hass.

I’ve set up credstash as an alternative to secrets.yaml. It works, I can create, retrieve, list and delete passwords using AWS.
However, the config still insists that secrets.yaml is used. I don’t see how to tell it to use AWS instead.
Any help or clarification gratefully received.


Did you solved?



Some of my platforms now work with credstash; some still insist on secrets.yaml.
My platforms which work with credstash are nest, lutron and dark_sky.
Those that don’t work for me are google_API, somfy and withings.


I solved: you need to create an empty secrets.yaml.
This is not clear in docs

Alas, that doesn’t work for me. Home Assistant fails to load, complaining that is can’t find google_API in secrets.yaml, though it exists in a credstash list. It behaves similarly if I omit the somfy or withings credentials from secrets.yaml.

Did you see how I solved?
If you to the test of the configuration, do you see that the AWS db is loaded?

Hi @claudioala80, I tried that but it didn’t work for me.

Finally I have solved it, at least for my configuration. I now have no secrets.yaml file.

My setup is Home Assistant Core in a Python virtual environment set up exactly as described in

If I run ‘credstash list’, I see all my secrets. I can run ‘credstash get ’ and it returns the correct value.

I then looked at the way in which Home Assistant retrieves the values.

This led me to /srv/homeassistant/lib/python3.7/site-packages/homeassistant/util/yaml/

This script imports a module called credstash then gets the value with a call to ‘credstash.getSecret(node.value, table=_SECRET_NAMESPACE)’.

_SECRET_NAMESPACE is resolved in in the same directory. In my setup, hard codes _SECRET_NAMESPACE as “homeassistant”.

This means that Home Assistant was looking in a DynamoDB table called “homeassistant” whereas I must somehow have change my default to some other table.

A bit googling showed that credstash can be called with a table name. If I used ‘credstash -t “homeassistant” list’, only those secrets which worked were listed.

So I deleted all the secrets in my default table, (‘credstash delete ’) and added them to the “homeassistant” table (‘credstash -t “homeassistant” put ’).

I hope that helps someone.