Error in Dashboards using !secret

Does the UI support the specification of a !secret?

I had entered the alarm code directly using the UI and I could edit it in the UI with no issues. But clearly this is not very secure so I wanted to add a !secret for the alarm code. But I could not see how to do this in the UI, so I edited it in Code Server.

This is my automation:

- id: '1629248081906'
  alias: Leave Home
  description: ''
  trigger:
  - platform: state
    for:
      hours: 0
      minutes: 30
      seconds: 0
    entity_id: group.people
    from: home
  condition: []
  action:
  - service: alarm_control_panel.alarm_arm_away
    target:
      entity_id: alarm_control_panel.carpe_diem_alarm
    data:
      code: !secret alarm_code
  - service: input_boolean.turn_on
    target:
      entity_id: input_boolean.sentry_mode
  mode: single

When I tried to edit this automation in the UI I got the following error:
Error loading automation (500).

I then edited the automation in Code Server to reenter the alarm code directly rather than using !secret. I now get the same (500) error when trying to edit the automation in the UI.

Each time I changed the automation, whether in Code Server or the UI, I first reloaded the automations Configurations -> Settings.

Am I doing something incorrectly?

As an enhancement I definitely would like to be able to enter the !secret in the UI.

UI automations does not support !secret.

Yes, I figured that out.

But even after putting the code back in rather than !secret, using Code Server, I get the (500) error when I try to edit the automation in the UI.

I even restarted HA between the edit in Code Server and trying to edit the automation in the UI.

I would do the following:

• Remove the automation from the yaml file
• Roboot HA
• Add the automation back in the UI

Kind of brute force, don’t you think?

I’ll definitely add an enhancement request to be able to specify a !secret in automation.

I don’t think that will be possible, as the yaml config and the UI are two different systems.
And if it’s possible I don’t think they will add it, because HA is moving away from yaml.

Why do you need the secrets anyway? You could use a helper for constant values if you like.

Well, I want it to be secret.
It is the alarm code for the house.

From whom? If someone random has access to the automations UI, you’ll have a bigger problem. And then they can also access your secrets.yaml.

The secrets yaml file is only intended for users who want to share their config files online (e.g. github or this forum)

I imagine you want to compare some entered value against the secret code? Then how about a template binary sensor that turns on when the entered input is set to the right code? You can then build automations around the sensor being on.
Or you could do some kind of hashing calculation and check against the hashed value.

Ok, this has progressed even further. I deleted the automation as suggested by @Pippyn and restarted HA.

Now I cannot create any new automations using the UI. I keep on getting the (500) error when I try to save the automation. I want to be clear that I am not trying to enter a !secret or even type in the alarm code. Below is a screenshot of the automation I’m trying to create, because I couldn’t save the automation and then send the YAML. All I’m trying to do is detect when everyone has left home for 30 min and turn on the alarm system automatically.

Anyone know what is going on?

image1600×1728 123 KB

image1596×1646 117 KB

This is the system health report.

System Health

version: core-2022.4.2
installation_type: Home Assistant OS
dev: false
hassio: true
docker: true
user: root
virtualenv: false
python_version: 3.9.9
os_name: Linux
os_version: 5.10.108
arch: x86_64
timezone: Europe/Lisbon


GitHub API: ok
GitHub Content: ok
GitHub Web: ok
GitHub API Calls Remaining: 4808
Installed Version: 1.24.4
Stage: running
Available Repositories: 1093
Downloaded Repositories: 14


logged_in: true
subscription_expiration: 14 April 2022, 01:00
relayer_connected: true
remote_enabled: true
remote_connected: true
alexa_enabled: false
google_enabled: true
remote_server: eu-central-1-1.ui.nabu.casa
can_reach_cert_server: ok
can_reach_cloud_auth: ok
can_reach_cloud: ok


host_os: Home Assistant OS 7.6
update_channel: stable
supervisor_version: supervisor-2022.04.0
docker_version: 20.10.9
disk_total: 116.7 GB
disk_used: 26.5 GB
healthy: true
supported: true
board: generic-x86-64
supervisor_api: ok
version_api: ok
installed_addons: Samba share (9.5.1), Home Assistant Google Drive Backup (0.106.2), Check Home Assistant configuration (3.10.0), Terminal & SSH (9.3.0), Network UPS Tools (0.10.0), Studio Code Server (4.2.0), Samba Backup (5.0.0), ESPHome (2022.3.2)


api_endpoint_reachable: ok


dashboards: 6
resources: 7
views: 31
mode: storage

And what about the error log?

Logger: aiohttp.server
Source: util/yaml/loader.py:304
First occurred: 16:39:58 (1 occurrences)
Last logged: 16:39:58

Error handling request
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/aiohttp/web_protocol.py", line 435, in _handle_request
    resp = await request_handler(request)
  File "/usr/local/lib/python3.9/site-packages/aiohttp/web_app.py", line 504, in _handle
    resp = await handler(request)
  File "/usr/local/lib/python3.9/site-packages/aiohttp/web_middlewares.py", line 117, in impl
    return await handler(request)
  File "/usr/src/homeassistant/homeassistant/components/http/security_filter.py", line 60, in security_filter_middleware
    return await handler(request)
  File "/usr/src/homeassistant/homeassistant/components/http/forwarded.py", line 100, in forwarded_middleware
    return await handler(request)
  File "/usr/src/homeassistant/homeassistant/components/http/request_context.py", line 28, in request_context_middleware
    return await handler(request)
  File "/usr/src/homeassistant/homeassistant/components/http/ban.py", line 79, in ban_middleware
    return await handler(request)
  File "/usr/src/homeassistant/homeassistant/components/http/auth.py", line 219, in auth_middleware
    return await handler(request)
  File "/usr/src/homeassistant/homeassistant/components/http/view.py", line 137, in handle
    result = await result
  File "/usr/src/homeassistant/homeassistant/components/config/__init__.py", line 144, in post
    current = await self.read_config(hass)
  File "/usr/src/homeassistant/homeassistant/components/config/__init__.py", line 177, in read_config
    current = await hass.async_add_executor_job(_read, hass.config.path(self.path))
  File "/usr/local/lib/python3.9/concurrent/futures/thread.py", line 58, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/usr/src/homeassistant/homeassistant/components/config/__init__.py", line 235, in _read
    return load_yaml(path)
  File "/usr/src/homeassistant/homeassistant/util/yaml/loader.py", line 111, in load_yaml
    return parse_yaml(conf_file, secrets)
  File "/usr/src/homeassistant/homeassistant/util/yaml/loader.py", line 123, in parse_yaml
    yaml.load(content, Loader=lambda stream: SafeLineLoader(stream, secrets))
  File "/usr/local/lib/python3.9/site-packages/yaml/__init__.py", line 81, in load
    return loader.get_single_data()
  File "/usr/local/lib/python3.9/site-packages/yaml/constructor.py", line 51, in get_single_data
    return self.construct_document(node)
  File "/usr/local/lib/python3.9/site-packages/yaml/constructor.py", line 55, in construct_document
    data = self.construct_object(node)
  File "/usr/local/lib/python3.9/site-packages/yaml/constructor.py", line 100, in construct_object
    data = constructor(self, node)
  File "/usr/src/homeassistant/homeassistant/util/yaml/loader.py", line 284, in _construct_seq
    (obj,) = loader.construct_yaml_seq(node)
  File "/usr/local/lib/python3.9/site-packages/yaml/constructor.py", line 408, in construct_yaml_seq
    data.extend(self.construct_sequence(node))
  File "/usr/local/lib/python3.9/site-packages/yaml/constructor.py", line 129, in construct_sequence
    return [self.construct_object(child, deep=deep)
  File "/usr/local/lib/python3.9/site-packages/yaml/constructor.py", line 129, in <listcomp>
    return [self.construct_object(child, deep=deep)
  File "/usr/local/lib/python3.9/site-packages/yaml/constructor.py", line 100, in construct_object
    data = constructor(self, node)
  File "/usr/src/homeassistant/homeassistant/util/yaml/loader.py", line 253, in _ordered_dict
    nodes = loader.construct_pairs(node)
  File "/usr/local/lib/python3.9/site-packages/yaml/constructor.py", line 155, in construct_pairs
    value = self.construct_object(value_node, deep=deep)
  File "/usr/local/lib/python3.9/site-packages/yaml/constructor.py", line 100, in construct_object
    data = constructor(self, node)
  File "/usr/src/homeassistant/homeassistant/util/yaml/loader.py", line 284, in _construct_seq
    (obj,) = loader.construct_yaml_seq(node)
  File "/usr/local/lib/python3.9/site-packages/yaml/constructor.py", line 408, in construct_yaml_seq
    data.extend(self.construct_sequence(node))
  File "/usr/local/lib/python3.9/site-packages/yaml/constructor.py", line 129, in construct_sequence
    return [self.construct_object(child, deep=deep)
  File "/usr/local/lib/python3.9/site-packages/yaml/constructor.py", line 129, in <listcomp>
    return [self.construct_object(child, deep=deep)
  File "/usr/local/lib/python3.9/site-packages/yaml/constructor.py", line 100, in construct_object
    data = constructor(self, node)
  File "/usr/src/homeassistant/homeassistant/util/yaml/loader.py", line 253, in _ordered_dict
    nodes = loader.construct_pairs(node)
  File "/usr/local/lib/python3.9/site-packages/yaml/constructor.py", line 155, in construct_pairs
    value = self.construct_object(value_node, deep=deep)
  File "/usr/local/lib/python3.9/site-packages/yaml/constructor.py", line 100, in construct_object
    data = constructor(self, node)
  File "/usr/src/homeassistant/homeassistant/util/yaml/loader.py", line 284, in _construct_seq
    (obj,) = loader.construct_yaml_seq(node)
  File "/usr/local/lib/python3.9/site-packages/yaml/constructor.py", line 408, in construct_yaml_seq
    data.extend(self.construct_sequence(node))
  File "/usr/local/lib/python3.9/site-packages/yaml/constructor.py", line 129, in construct_sequence
    return [self.construct_object(child, deep=deep)
  File "/usr/local/lib/python3.9/site-packages/yaml/constructor.py", line 129, in <listcomp>
    return [self.construct_object(child, deep=deep)
  File "/usr/local/lib/python3.9/site-packages/yaml/constructor.py", line 100, in construct_object
    data = constructor(self, node)
  File "/usr/src/homeassistant/homeassistant/util/yaml/loader.py", line 253, in _ordered_dict
    nodes = loader.construct_pairs(node)
  File "/usr/local/lib/python3.9/site-packages/yaml/constructor.py", line 155, in construct_pairs
    value = self.construct_object(value_node, deep=deep)
  File "/usr/local/lib/python3.9/site-packages/yaml/constructor.py", line 100, in construct_object
    data = constructor(self, node)
  File "/usr/src/homeassistant/homeassistant/util/yaml/loader.py", line 253, in _ordered_dict
    nodes = loader.construct_pairs(node)
  File "/usr/local/lib/python3.9/site-packages/yaml/constructor.py", line 155, in construct_pairs
    value = self.construct_object(value_node, deep=deep)
  File "/usr/local/lib/python3.9/site-packages/yaml/constructor.py", line 100, in construct_object
    data = constructor(self, node)
  File "/usr/src/homeassistant/homeassistant/util/yaml/loader.py", line 304, in secret_yaml
    raise HomeAssistantError("Secrets not supported in this YAML file")
homeassistant.exceptions.HomeAssistantError: Secrets not supported in this YAML file

The steps I took were:

• Send the system health report
• Restart HA
• Create the automation from scratch, without any !secret
• Copy the error log

I suspect that I have a !secret somewhere else in my automations.yaml and that HA doesn’t like a !secret anywhere in the YAML. I’ll test this out and report back.

I can confirm that HA doesn’t like !secret anywhere in the YAML.

There were several other places where I was using !secret. so I changed those to the alarm code.

I then restarted HA and could create the automation and save it successfully.

Now I have to try using the input_text as suggested by @Pippyn .

Just to be clear, if your goal is to hide the alarm code from someone with access to your HA UI that task is pretty much impossible.

Anyone with access to your HA UI can open the Code Server add-on’s UI. So if you can see the secrets.yaml file so can anyone else. Note that this also applies any value anywhere in your config or in .storage (you can unhide that folder in code server or just drop to the terminal).

The state of every entity is visible in developer tools, input texts included. That’s even less hidden.

Even if you had your automation clear the value of that input text immediately after entry someone could still open the trace of your automation the last time it ran and see the value that way.

Also does your integration or device expose a service to change the alarm code or disarm it? If so then the alarm code is irrelevant to someone with access to your HA UI. They can just disarm or change it from here. Or change any of your automations/scripts or make their own.

Control access to the HA UI and the system it runs on. Assume if a bad actor got to the HA UI then you’re already screwed.

Also secrets.yaml isn’t a security feature. It’s a sharing feature. It allows you to easily share your config without accidently including PII/credentials. That’s about it.

Thanks for those sobering words @CentralCommand.

I suspected as much, now I know.