Feature request for `!secret` expansion in shell commands

jmartens · September 3, 2020, 12:08pm

As requested per #39595 as a feature request here in the forum:

The problem

Apparently there is no !secret expansion in shell_commands, would be nice if this could be implemented. This saves me putting sensitive data into configuration files.

2020-09-02 22:41:16 DEBUG (MainThread) [homeassistant.components.shell_command] Stderr of command: `ssh -F /config/.ssh/config -o UserKnownHostsFile=/config/.ssh/known_hosts !secret ip_of_server1 sudo /usr/sbin/poweroff`, return code: 255:
b'ssh: Could not resolve hostname !secret: Try again\r\n'

Problem-relevant `configuration.yaml`

shell_command:
# TODO: move sensitive data to secrets
  turn_off_server1: ssh -F /config/.ssh/config -o UserKnownHostsFile=/config/.ssh/known_hosts !secret ip_of_server1 sudo /usr/sbin/poweroff

Mutt · September 3, 2020, 12:26pm

I would actually prefer it if you could get a !secret to be evaluated with a jinja expression, this would make them usable in far more places than just cli

Tediore · September 3, 2020, 12:28pm

This isn’t quite what you’re looking for, but you could make the entire shell command a secret.

ludeeus · September 3, 2020, 12:31pm

Exposing secrets to the template engine might sound cool, like {{ secret.ip_of_server1 }}.
But that would also make those secrets show in the template editor in the UI for every user that has access to it.

As @Tediore says, moving the entire command to the secrets file works.
at the core, this is still YAML, and AFAIK you can not use inline include statements in any YAML file.

Feature request for `!secret` expansion in shell commands

The problem

Problem-relevant configuration.yaml

Problem-relevant `configuration.yaml`