Point to !secret in Hassio?

I assume you’ve seen the documentation on secrets.yaml? If that isn’t working for you, could you explain the problem you’re having?

I think you’re asking if splitting the configuration.yaml and in particular the secrets.yaml works with Hass.io, and yes, it does. Its no different than any other implementation of HomeAssistant. To test it myself, I made one reference to my secrets.yaml file from configuration, then used the Configuration, General, Check Config button to verity that I did it correctly before making additional references or restarting.

Hi

No i didn’t make myself clear;-)

I use the secrets.yaml.

What I meant to ask if one can point to that from within the Hassio component details.
Just as one points to in from within the configuration.yaml

@Tinkerer : the secrets file feels like my old notepad file with passwords on my pc. Of course it is secured with several passwords before one can get there.
Still we all are convinced a tool like 1Password or the likes is useful for securing and encrypting the secrets nowadays.
And don’t rely on the initial password before entering the pc.

Especially since there are many system details in there that go beyond HA.

1 Like

I’m curious about this as well. I’m no security expert, but it seems like having a secrets.yaml file unsecured is not smart. My understanding is services like Keyring and AWS are not usable for Hassio. I’d be interested in seeing how you guy are securing your secrets.yaml within Hassio.

You can use a secret in any of your YAML, whether the main one, or one you include.

The problem with a 1Password like approach, or Keychain, is that you either need to unlock it first (so if HA restarts, you’d need to unlock it before the restart could complete, and HA would work) or it would need to have no password to unlock it (which makes it pointless).

The answer is to ensure that you keep your HA system secure. Use strong passwords; if using SSH use a key, not a password; don’t use Samba if you don’t need it; etc.

1 Like

I may not be following you… when you say “Hassio component details.” what are you referring to? To my knowledge component details are not different just because you’re using Hassio. So for instance, when I configured the my ecobee in my configurations.yaml I did this:

ecobee:
  api_key: !secret ecobee_api_key

with the corresponding entry in my secrets.yaml file.

@shred: I’ve secured access to my Pi in general:



I hadn’t heard there were issues using keyring or AWS with Hassio, but I haven’t tried those yet. Can you point to where those issues are discussed?

It’s not that there’s any issues with using Keyring or AWS, but my understanding is that they are services that you have to install on your host OS running HA. If you’re running Hassio, you can’t SSH in and install stuff like you would on a Hassbian or other setup (you don’t have actual root access with Hass.io. The only way it would work is if someone made an add-on for Hassio.

Thx . Duly noted.

I’ll start looking into key-securing Ssh. Definitely need ssh now to edit my config files and build the HA environment.

Cheers
Marius

There is an Ssh Hassio component, and I’m using it just fine!

I meant to ask if something like this would be allowed:
Check username and password.
Pointing to the secret file from within the Hassio settings :slight_smile:

Yes, there is an SSH add-on for Hassio but your privileges when you SSH into Hassio are not the same as if you were using SSH on Linux, Ubuntu, etc. On Hassio, you will not be able to use SSH like you would on a “typical” OS such as Linux. In other words, you’re running as a very limited user. Hassio is HomeAssistant running in a docker on the resinOS with limited user privileges.

Ah, that’s a question I have as well, as those seem exposed, at least in the web interface (not sure where they’re stored in Hass.io). I think the answer to that is “no”.

By the way, I would refer to the Mosquito Options configuration you showed as an “Add-On” (a Hass.io Add-On) not “Component”. Mixing those two things is what cause my confusion on what you were referring to.

Here are the Components:

Here are the Hass.io Add-Ons:

1 Like

you’re right, stand corrected :wink:

@shred
sure, i know. only able to ssh as [email protected].
frustrated by that already, and saved too several times :wink:

Technically, it is possible. This thread I found talks links to a developer SSH ability, and explains why its not supported.

–fyi

fyi:
ive tested to be positive about this:
no !secret-pointing to secrets.yaml file is possible in the Hassio add-ons. Ive tested with the SSH, duckdns and mqtt add-ons and they all fail doing so.

Too bad really. Could be a feature request :wink:

Cheerio,
Marius

1 Like

I agree. I went ahead and posted a feature request.

2 Likes

I’ve got a couple of Python scripts that sort of let me do this.

The first downloads Hassio addon config as YAML, the second puts them back but replaces anywhere you’ve put !secret with the secret from secrets.yaml.

Works well enough for me, although there’s definitely room for improvement! Adding true support for the secrets.yaml into Hassio would make it much easier for me to put my Hassio config in Git.

https://github.com/danrspencer/hass-config/tree/master/hassio

1 Like

I wonder if there has been an update to this, I read in Node-Red documentation, this can be done.
using !secret in addon configuration

it can NOW but 2 years ago it couldn’t. That’s the problem with necro threads.