Make secrets available in templating engine

The easy way is to put the whole template into your secret. If you really don’t want to do that, you could make an MQTT sensor, and have an automation use mqtt.publish to set the value of the sensor to the secret. Then use the state of that sensor in your template.

3 Likes

That makes a ton of sense. I didn’t even think of the easy answer of just hiding the whole automation. I’ll leave a commented version exposed and scrubbed and hide the real one. Thanks. That works for me.

CARLO.

1 Like

In case anyone wonders I just went the easy way and made a template sensor like this:

sensor:
  - platform: template
    sensors:
      emby_player_uuid:
        value_template: !secret emby_player_uuid

~Cheers

8 Likes

The workaround is valid.
But can this feature be reconsidered?

I don’t see why this would not be secure? People might just put the sensitive value not in the secrets and use them as literal. So that is not secure at all if the config goes out to Github or is shared in any other way.

5 Likes

long time gone, please let me get back on this:

im using the xbox sensor, which ends up using the gamertag in the sensor name, sensor.gamertag . Since i use a lot of templating on that sensor, my gamertag ends everywhere in the Yaml…

hence i tried to do something like {% set gamertag = !secret xbox_gamertag %} but obviously (…) thats not allowed.

I ve now tried your simple solution:

  xbox_gamertag:
    value_template: !secret xbox_gamertag

and need the state (my gamertag) of the that sensor appended to this:

%- if states.sensor.{{states.sensor.xbox_gamertag.state}} %}
   {% if is_state("sensor.{{states.sensor.xbox_gamertag.state}}", "Online") %}
     {%- if is_state_attr("sensor.{{states.sensor.xbox_gamertag.state}}", "XboxOne Full" , "Netflix") %} mdi:netflix 
        {% else %}mdi:xbox-controller
        {%- endif %}
      {% else %}mdi:xbox-controller-off
    {%- endif %}
  {%- endif %}'

this doesn’t work though…complaining about:

Error rendering template: TemplateSyntaxError: expected name or number

is there a way, or should we simply forget…

this is promising:

{% set gamertag = "states.sensor.xbox_gamertag.state" %}
{%- if "states.sensor.{{ gamertag }}" %}
   {% if is_state("sensor.{{ gamertag }}", "Online") %}
     {%- if is_state_attr("sensor.{{ gamertag }}", "XboxOne Full" , "Netflix") %} mdi:netflix 
        {% else %}mdi:xbox-controller
        {%- endif %}
      {% else %}mdi:message-bulleted-off
    {%- endif %}
  {%- endif %}

was ne needs to go to keep secrets secret…

Anyways, cheers!
Marius

my first efforts above didnt work, but this seems to be promising:

{% set gamertag = "states.sensor.xbox_gamertag.state" %}
{%- if "states.sensor.{{ gamertag }}" %}
   {% if is_state("sensor.{{ gamertag }}", "Online") %}
     {%- if is_state_attr("sensor.{{ gamertag }}", "XboxOne Full" , "Netflix") %} mdi:netflix 
        {% else %}mdi:xbox-controller
        {%- endif %}
      {% else %}mdi:message-bulleted-off
    {%- endif %}
  {%- endif %}

after first creating an intermediary template sensor:

  xbox_gamertag:
    value_template: !secret xbox_gamertag

thanks to @PhyberApex and his workaround in Make secrets available in templating engine

1 Like

Hello all,

I read through this thread and I believe it does the opposite of what I am trying to do. I want to be able to actually change the value of a secret in a secret file according a template.

Basically, I use one alarm code to disarm my alarm. My locks have individual codes for each family member. I have templated out the locks to show which family member unlocked them. Now I am hoping to further template out the locks to pass the same code to the secrets file so it uses it to disarm the alarm. Is this possible?

Thanks in advance.

Best bet imho would be to include all of them in the secrets file and write the “current” one to use in a hidden text_input field and use the value of that to arm/disarm.

Does this help?

~Cheers

Thank you for your response. I am sure it should but I don’t have the knowledge of Home Assistant for it too. Any chance you could provide some sort of example.

Does this help?

input_text:
  alarmPin:
    name: alarmPin
    initial: nothing

script:
 armAlarm:
# Your arming stuff here   
   - service: input_text.set_value
     data:
       entity_id: input_text.alarmPin
       value: YOUR_PIN

 armAlarm:
# Your disarm stuff here   
   - service: YOUR_ALARM.DISARM
     data_template:
       entity_id: YOUR_ALARM
       value: {{ states.input_text.alarmPin.state }}

~Cheers

yes, thank you, but i think that leaves a place to input a number on the frontend. it did get my brain thinking though. would something like this work:

# Configuration yaml

alarm_control_panel:
  platform: alarmdotcom
  username: !secret adc_user
  password: !secret adc_password
  code: {{ states.sensor.lock_door_code.state }}
 
sensor: 
  - platform: template
    sensors:
      lock_door_code:
        friendly_name: 'Door Alarm Code'
        value_template: >-
          {% if is_state('sensor.lock_b_door_status', 'Unlocked with Keypad by user 1') %}
            !secret alarmuser1
          {% elif is_state('sensor.lock_b_door_status', 'Unlocked with Keypad by user 2') %}
            !secret alarmuser2
          {% elif is_state('sensor.lock_b_door_status', 'Unlocked with Keypad by user 3') %}
            !secret alarmuser3
          {% elif is_state('sensor.lock_b_door_status', 'Unlocked with Keypad by user 4') %}
            !secret alarmuser4
          {% elif is_state('sensor.lock_b_door_status', 'Unlocked with Keypad by user 5') %}
            !secret alarmuser5
	      {% if is_state('sensor.lock_f_door_status', 'Unlocked with Keypad by user 1') %}
            !secret alarmuser1
          {% elif is_state('sensor.lock_f_door_status', 'Unlocked with Keypad by user 2') %}
            !secret alarmuser2
          {% elif is_state('sensor.lock_f_door_status', 'Unlocked with Keypad by user 3') %}
            !secret alarmuser3
          {% elif is_state('sensor.lock_f_door_status', 'Unlocked with Keypad by user 4') %}
            !secret alarmuser4
          {% elif is_state('sensor.lock_f_door_status', 'Unlocked with Keypad by user 5') %}
            !secret alarmuser5
          {% if is_state('sensor.lock_g_door_status', 'Unlocked with Keypad by user 1') %}
            !secret alarmuser1
          {% elif is_state('sensor.lock_g_door_status', 'Unlocked with Keypad by user 2') %}
            !secret alarmuser2
          {% elif is_state('sensor.lock_g_door_status', 'Unlocked with Keypad by user 3') %}
            !secret alarmuser3
          {% elif is_state('sensor.lock_g_door_status', 'Unlocked with Keypad by user 4') %}
            !secret alarmuser4
          {% elif is_state('sensor.lock_g_door_status', 'Unlocked with Keypad by user 5') %}
            !secret alarmuser5
          {% else %}
            0000
          {% endif %}
		 
# secrets yaml

alarmuser1: 1234
alarmuser2: 1235
alarmuser3: 1236
alarmuser4: 1237
alarmuser5: 1238

I don’t think that would work as the code would only get read at the initilization of the alarm_control_panel component.

For the example I provided I forgot to mention this portion of home assistant you probably are not familiar with.

You can set entities hidden which you should be doing for my example like this:

customize:
    input_text.alarmPin:
      hidden: true

~Cheers

Yes, thank you. I think where I am getting confused though is your example looks like it uses a static PIN number. One that never changes. I need the PIN number to change depending on who unlocks the door. So if user1 unlocks the door with user1’s code, it uses user1’s code to disarm the alarm. If user2 unlocks the door, it uses user2’s code to disarm the alarm. Make sense? Am I missing something?

Thanks for your help.

Could you provide your current alarm config with disarm and arm scripts? That would make it a lot easier to explain.

~Cheers

Ok, I made some progress this weekend. I haven’t made it to scripts yet. I would love to use this as a spring board to learning them though. I do have a single sensor that accurately reports the code used at each door. I tried to include it entirely in the secrets yaml but didn’t get very far as I got all kinds of errors. I followed your example above for the configuration yaml but couldn’t figure up out how to add it to the secrets file.

Would you do it like this:

sensor:
  - platform: template
    sensors:
      emby_player_uuid:
        value_template: !secret emby_player_uuid

secrets.yaml

emby_player_uuid: start sensor here

I also tried to use the sensor in an automation but that failed miserably.

Something similar to

data_template
  entity_id: my_alarm_panel
  code: states.sensor.lock_door_code.state
service: my_alarm_panel.alarm_disarm

If you don’t have a script how do you arm your alarm? oO

Also you need to make sure your template gets interpreted by using the jinja2 notation.

data_template
  entity_id: my_alarm_panel
  code: {{states.sensor.lock_door_code.state}}
service: my_alarm_panel.alarm_disarm

~Cheers

+1 I would like this also.

I am trying to set an automation with a required password from the UI.
So I wanted to do the following but it doesn’t work.

    condition:
        - condition: template
          value_template: "{{ states.input_text.action_password.state != !secret action_password }}"

One issue with this is that hidden text_input components still show up in the states panel. So password is revealed in plain text through the UI.

Maybe you could clear the password straight after using it? Would limit the time it is visible but I get your problem. One way around that if you are that worried would be to use a python or bash script. Call that with the shell_command component and write it to a text file. To use it use a python script to trigger what ever you want withing home assistant using the input from that text file. Or go the AppDaemon route. That would probably be easier if you already have AppDaemon running.

~Cheers

I would love to see this, as putting the WHOLE template into the secrets file is messy and makes code reuse useless. It also hides the actual code function!

E.G.
What we want (Note, not working):

camera:
  - platform: generic
    still_image_url: >
     {% if is_state('binary_sensor.image_2_source_online', 'on') %}
       !secret image_url_2
     {% else %}
       https://localhost/local/blank_display.jpg
     {% endif %}

The only way to make it work!

camera:
  - platform: generic
    still_image_url: !secret image_url_1_template

secrets.yaml

image_url_2_template: ‘{% if is_state(“binary_sensor.image_1_source_online”, “on”) %} http://xxx.xxx.xxx.xxx/picture/2/current/?_username=admin&_signature=clashhuhwhe8ufiohdiijjsi9sjmisji {% else %} https://localhost/local/blank_display.jpg {% endif %}’

I did not know you could do this. But still yeah…we are probably not getting secrets in the templating engine as it was up for debate already and decided against it.

~Cheers