Using secrets.yaml with shell commands?

I am using HarmonyHubControl for a bunch of things. It works great but it needs my Harmony login credentials in every command line. I would like to store that information in secrets.yaml instead, but I don’t know if it’s possible to concatenate together a command line with those variables.

How would I do this? Can I even? (This is happening both in the shell_command block and in switches.)

Thanks for any help!

2 Likes

It can definitely be done. Try it out and it should work.

Okay, but how? Just replace the username in the string with !secret username? I can’t see that working with what is clearly a string.

I don’t think it can be done, if it’s anything like using !env_var.

Similar situation. Can we pass these on as command arguments for scripts? Something like:

key_name: ‘/path/script.py’ “”{!secret username}" “{!secret password}” “”{{arg1}}"

I could probably set it in the data_template of the script, but then we’d still have username/password peppered everywhere (but at least it would be centrally managed)

Hey guys,

I know this is and old post, but i found myself in a similar situation, so i wanted to share my approach.

shyaml will do the trick, so first, make sure shyaml is installed:

pip install shyaml

Now, we will create a foo script to perform a query to the secrets.yaml and implement calls in a legible way:

echo -e '#!/bin/bash\n cat ~/.homeassistant/secrets.yaml | shyaml get-value $1;' > /usr/local/bin/hass_secret && chmod +x /usr/local/bin/hass_secret

We are trying to get an ip address out of our script, this is the original config
- platform: command_line
name: Schrodinger CPU Temperature
command: "ssh [email protected] 'cat /sys/class/thermal/thermal_zone0/temp'"
unit_of_measurement: "°C"
value_template: '{{ value | multiply(0.001) }}'

Now we use our little bash script

command: "ssh osmc@$(hass_secret schrodinger_host) 'cat /sys/class/thermal/thermal_zone0/temp'"

Hope it helps

2 Likes

A workarond is to put a whole string in the secret.
Edit: You can even put a whole template in a secret.

There is a feature request for this, please vote if you want this.

2 Likes

Agree,

There is also some risk in getting your secret in places like logs.

Please note that I’m using secrets here as “config file” for storing non secret vars (local ip address). The aim is to get some reusability… Otherwise, placing the whole string seems wiser :slight_smile:

I found myself a workaround for this as well, I took this approach:

Created a template sensor, containing the password:

sensor:
  - platform: template
    sensors:
      password:
        value_template: !secret password

This reads the password into the template sensor (best would probably be to also hide it in the frontend)

Next step, read the sensor’s state into the shell_command:

shell_command:
  execute_with_password: bash my_command.sh {{ states.sensor.password.state }}

This example assumes the my_command script takes the password as primary input
This way, I can reuse the template sensor containing my password everywhere I need (until it’s directly supported to use secrets in the shell_command itself), without actually hardcoding it in everywhere

4 Likes

Wow, that’s really very clever. :slight_smile:

Minor Issue I just found out myself, seems my template sensors aren’t ready yet when some of my other shell_commands are, so this can result in errors…

Exposing (some of) your secrets in a sensor can be a security risk. Anyone would be able to read the given secret when it’s exposed as a sensor to the front-end. I too found myself in need of exposing some of my secrets (ip adresses, mac, etc) to a shell command. I just do it with passing variables to the shell command like this:

shell_command:
  hibernate_pc: curl -X GET 'http://{{ pc }}:7760/hibernate'

The shell command can be called and the variable holder {{ pc }} will be exchanged with the value of some secret when it’s executed. Like this:

service: shell_command.hibernate_pc
data:
  pc: !secret nick_pc_ip

I use this generic shell command to turn of multiple pc’s, but I also got other shell commands that are a bit more complex.

Hope this helps someone!

Cheers

14 Likes

I do know exposing my secrets in sensors is a security risk, but right now I’m still living at home, integrated barely anything, basically just taking HA for a test drive. I have hidden the secrets sensors though, so unless people take a look at the development section which lists all the sensors, it’s a bit less of a security risk I guess.

Your method actually looks like a good way to do this, I will have to take a look if it can be applied in all my cases, if so, that would be awesome, thanks for the tip already :slight_smile:

I liked your approach. But instead of using shyaml I’m using cat, grep, and sed, so it’s faster. This is my hass_secret script:

#!/bin/bash

if [[ $# -eq 0 ]] ; then
    echo 'Usage: hass_secret secret_key'
    exit 0
fi

cat /home/homeassistant/.homeassistant/secrets.yaml | grep ^$1: | grep -oP '(?<=:).*' | sed 's/ //g'
2 Likes

Bit of a necropost, stilll useful for anyone like me finding this searching for a similar solution using ha OS.

In homeassistant OS, -P is not available in grep.

I’ve come up with the following alternative:

#!/bin/bash

if [[ $# -eq 0 ]] ; then
    echo 'Usage: hass_secret secret_key'
    exit 0
fi

grep ^$1: /config/secrets.yaml | sed 's/^[^:]*: //' | sed 's/ //g'

Hi! Thank you for sharing. This is the version I’m using with HASS OS:

#!/bin/bash

if [[ $# -eq 0 ]] ; then
    echo 'Usage: hass_secret secret_key'
    exit 0
fi

cat /config/secrets.yaml | grep ^$1: | sed 's/ //g' | grep -Eo ':.*' | tr -d ':'

!secret is not working for me.
As you can see in my screenshot also the syntax is recognized as invalid.
How did you get it work?
Thanks
Screenshot 2023-05-23 alle 22.51.37

I’m going to guess you can’t use that syntax in the UI, only inside yaml files.

I’ll give a try and create an automation directly in yaml instead of going through the UI and see what happens.
Thanks

you were right, thanks for the hint!
When the automation YAML file (for example) is loaded into homeassistant then the !secrets get replaced with the actual values.

2 Likes