Make secrets available in templating engine

AFAIK it is currently not possible to use the secrets from the secrets.yaml in any templates. There are a lot of use cases where this could be really beneficial (e.g. passing secrets to some script in a shell_command).
I know of one other tool “Flexget” which uses the jinja engine and allows exactly this with their “variables” plugin.

Would be great to have!

~Cheers

1 Like

This feature was previously declined for security reasons.

Okay, I’m kind of lost here. I thought the whole point of even having the secrets file was to make it easier to share your config (e.g. on Github). Without this feature I would not need a secrets file at all. Because now I have to check anyways. Maybe we could keep the current secrets system. But add something else for the jinja 2 engine like a “variables.yaml” So everyone could decide if they need it within the template engine or not and the default would still be the “securer” secrets.yaml?

~Cheers

5 Likes

@happyleaves do you know of a work around for this issue?

https://github.com/CCOSTAN/Home-AssistantConfig/issues/55#issuecomment-279718589

Thanks.
Carlo

The easy way is to put the whole template into your secret. If you really don’t want to do that, you could make an MQTT sensor, and have an automation use mqtt.publish to set the value of the sensor to the secret. Then use the state of that sensor in your template.

3 Likes

That makes a ton of sense. I didn’t even think of the easy answer of just hiding the whole automation. I’ll leave a commented version exposed and scrubbed and hide the real one. Thanks. That works for me.

CARLO.

1 Like

In case anyone wonders I just went the easy way and made a template sensor like this:

sensor:
  - platform: template
    sensors:
      emby_player_uuid:
        value_template: !secret emby_player_uuid

~Cheers

8 Likes

The workaround is valid.
But can this feature be reconsidered?

I don’t see why this would not be secure? People might just put the sensitive value not in the secrets and use them as literal. So that is not secure at all if the config goes out to Github or is shared in any other way.

5 Likes

long time gone, please let me get back on this:

im using the xbox sensor, which ends up using the gamertag in the sensor name, sensor.gamertag . Since i use a lot of templating on that sensor, my gamertag ends everywhere in the Yaml…

hence i tried to do something like {% set gamertag = !secret xbox_gamertag %} but obviously (…) thats not allowed.

I ve now tried your simple solution:

  xbox_gamertag:
    value_template: !secret xbox_gamertag

and need the state (my gamertag) of the that sensor appended to this:

%- if states.sensor.{{states.sensor.xbox_gamertag.state}} %}
   {% if is_state("sensor.{{states.sensor.xbox_gamertag.state}}", "Online") %}
     {%- if is_state_attr("sensor.{{states.sensor.xbox_gamertag.state}}", "XboxOne Full" , "Netflix") %} mdi:netflix 
        {% else %}mdi:xbox-controller
        {%- endif %}
      {% else %}mdi:xbox-controller-off
    {%- endif %}
  {%- endif %}'

this doesn’t work though…complaining about:

Error rendering template: TemplateSyntaxError: expected name or number

is there a way, or should we simply forget…

this is promising:

{% set gamertag = "states.sensor.xbox_gamertag.state" %}
{%- if "states.sensor.{{ gamertag }}" %}
   {% if is_state("sensor.{{ gamertag }}", "Online") %}
     {%- if is_state_attr("sensor.{{ gamertag }}", "XboxOne Full" , "Netflix") %} mdi:netflix 
        {% else %}mdi:xbox-controller
        {%- endif %}
      {% else %}mdi:message-bulleted-off
    {%- endif %}
  {%- endif %}

was ne needs to go to keep secrets secret…

Anyways, cheers!
Marius

my first efforts above didnt work, but this seems to be promising:

{% set gamertag = "states.sensor.xbox_gamertag.state" %}
{%- if "states.sensor.{{ gamertag }}" %}
   {% if is_state("sensor.{{ gamertag }}", "Online") %}
     {%- if is_state_attr("sensor.{{ gamertag }}", "XboxOne Full" , "Netflix") %} mdi:netflix 
        {% else %}mdi:xbox-controller
        {%- endif %}
      {% else %}mdi:message-bulleted-off
    {%- endif %}
  {%- endif %}

after first creating an intermediary template sensor:

  xbox_gamertag:
    value_template: !secret xbox_gamertag

thanks to @PhyberApex and his workaround in Make secrets available in templating engine

1 Like

Hello all,

I read through this thread and I believe it does the opposite of what I am trying to do. I want to be able to actually change the value of a secret in a secret file according a template.

Basically, I use one alarm code to disarm my alarm. My locks have individual codes for each family member. I have templated out the locks to show which family member unlocked them. Now I am hoping to further template out the locks to pass the same code to the secrets file so it uses it to disarm the alarm. Is this possible?

Thanks in advance.

Best bet imho would be to include all of them in the secrets file and write the “current” one to use in a hidden text_input field and use the value of that to arm/disarm.

Does this help?

~Cheers

Thank you for your response. I am sure it should but I don’t have the knowledge of Home Assistant for it too. Any chance you could provide some sort of example.

Does this help?

input_text:
  alarmPin:
    name: alarmPin
    initial: nothing

script:
 armAlarm:
# Your arming stuff here   
   - service: input_text.set_value
     data:
       entity_id: input_text.alarmPin
       value: YOUR_PIN

 armAlarm:
# Your disarm stuff here   
   - service: YOUR_ALARM.DISARM
     data_template:
       entity_id: YOUR_ALARM
       value: {{ states.input_text.alarmPin.state }}

~Cheers

yes, thank you, but i think that leaves a place to input a number on the frontend. it did get my brain thinking though. would something like this work:

# Configuration yaml

alarm_control_panel:
  platform: alarmdotcom
  username: !secret adc_user
  password: !secret adc_password
  code: {{ states.sensor.lock_door_code.state }}
 
sensor: 
  - platform: template
    sensors:
      lock_door_code:
        friendly_name: 'Door Alarm Code'
        value_template: >-
          {% if is_state('sensor.lock_b_door_status', 'Unlocked with Keypad by user 1') %}
            !secret alarmuser1
          {% elif is_state('sensor.lock_b_door_status', 'Unlocked with Keypad by user 2') %}
            !secret alarmuser2
          {% elif is_state('sensor.lock_b_door_status', 'Unlocked with Keypad by user 3') %}
            !secret alarmuser3
          {% elif is_state('sensor.lock_b_door_status', 'Unlocked with Keypad by user 4') %}
            !secret alarmuser4
          {% elif is_state('sensor.lock_b_door_status', 'Unlocked with Keypad by user 5') %}
            !secret alarmuser5
	      {% if is_state('sensor.lock_f_door_status', 'Unlocked with Keypad by user 1') %}
            !secret alarmuser1
          {% elif is_state('sensor.lock_f_door_status', 'Unlocked with Keypad by user 2') %}
            !secret alarmuser2
          {% elif is_state('sensor.lock_f_door_status', 'Unlocked with Keypad by user 3') %}
            !secret alarmuser3
          {% elif is_state('sensor.lock_f_door_status', 'Unlocked with Keypad by user 4') %}
            !secret alarmuser4
          {% elif is_state('sensor.lock_f_door_status', 'Unlocked with Keypad by user 5') %}
            !secret alarmuser5
          {% if is_state('sensor.lock_g_door_status', 'Unlocked with Keypad by user 1') %}
            !secret alarmuser1
          {% elif is_state('sensor.lock_g_door_status', 'Unlocked with Keypad by user 2') %}
            !secret alarmuser2
          {% elif is_state('sensor.lock_g_door_status', 'Unlocked with Keypad by user 3') %}
            !secret alarmuser3
          {% elif is_state('sensor.lock_g_door_status', 'Unlocked with Keypad by user 4') %}
            !secret alarmuser4
          {% elif is_state('sensor.lock_g_door_status', 'Unlocked with Keypad by user 5') %}
            !secret alarmuser5
          {% else %}
            0000
          {% endif %}
		 
# secrets yaml

alarmuser1: 1234
alarmuser2: 1235
alarmuser3: 1236
alarmuser4: 1237
alarmuser5: 1238

I don’t think that would work as the code would only get read at the initilization of the alarm_control_panel component.

For the example I provided I forgot to mention this portion of home assistant you probably are not familiar with.

You can set entities hidden which you should be doing for my example like this:

customize:
    input_text.alarmPin:
      hidden: true

~Cheers

Yes, thank you. I think where I am getting confused though is your example looks like it uses a static PIN number. One that never changes. I need the PIN number to change depending on who unlocks the door. So if user1 unlocks the door with user1’s code, it uses user1’s code to disarm the alarm. If user2 unlocks the door, it uses user2’s code to disarm the alarm. Make sense? Am I missing something?

Thanks for your help.

Could you provide your current alarm config with disarm and arm scripts? That would make it a lot easier to explain.

~Cheers

Ok, I made some progress this weekend. I haven’t made it to scripts yet. I would love to use this as a spring board to learning them though. I do have a single sensor that accurately reports the code used at each door. I tried to include it entirely in the secrets yaml but didn’t get very far as I got all kinds of errors. I followed your example above for the configuration yaml but couldn’t figure up out how to add it to the secrets file.

Would you do it like this:

sensor:
  - platform: template
    sensors:
      emby_player_uuid:
        value_template: !secret emby_player_uuid

secrets.yaml

emby_player_uuid: start sensor here

I also tried to use the sensor in an automation but that failed miserably.

Something similar to

data_template
  entity_id: my_alarm_panel
  code: states.sensor.lock_door_code.state
service: my_alarm_panel.alarm_disarm

If you don’t have a script how do you arm your alarm? oO

Also you need to make sure your template gets interpreted by using the jinja2 notation.

data_template
  entity_id: my_alarm_panel
  code: {{states.sensor.lock_door_code.state}}
service: my_alarm_panel.alarm_disarm

~Cheers