Secrets support for configuration files #2312
Conversation
|
+1 I started working on something extremely similar, but looks like you beat me to the punch. :) |
|
@Khabi I was a bit paranoid with my icloud password. Ideally it should be a app-specific password, but I'll probably have to look into pyicloud to see why that didn't work for me. If you can help test this branch it would be great. You can add keyring password by executing |
|
|
||
| if SECRET_DICT and secret_name in SECRET_DICT: | ||
| HISTORY[secret_name] = SSource.yaml | ||
| _LOGGER.debug('from secrets.yaml: %s = "%s"', secret_name, |
There was a problem hiding this comment.
Let's not print secrets to the debug log
There was a problem hiding this comment.
Ok if we only print where it was resolved from? secret.yaml / keyring
|
@balloob is it possible to get the I currently check which keys in the secrets file was not used, but can only do that after home assistant started. Without |
|
I removed reporting on unused secrets for now. |
|
Nice! I think that this is a great improvement and keeps the change manageable. 🐬 ㊙️ 🔒 🔑 🍻 ⚽ |
|
Just realized this PR brought us to a 1000 tests total!
|
|
We still need some documentation for this. |
|
I'm not really able to get the keyring to work at first glance. $ keyring-3.4 set homeassistant http_password
Password for 'http_password' in 'homeassistant': 12345and http:
api_password: !secret http_passwordgives me: 16-07-01 12:27:20 ERROR (MainThread) [homeassistant.util.yaml] Secret http_password not defined.The password is available in the keyring. $ keyring-3.4 get homeassistant http_password
12345 |
| _LOGGER.debug('Secret %s retrieved from keyring.', node.value) | ||
| return pwd | ||
|
|
||
| _LOGGER.error('Secret %s not defined.', node.value) |
There was a problem hiding this comment.
I think that here it would be helpful if message provide some more details because the issue can be at various places (no secrets.yaml file, no keyring, no access to the keyring, or no entry).
There was a problem hiding this comment.
If you add logger: debug to secrets.yaml, debug messages will get printed
|
It seems that the commandline tool works different. >>> import keyring
>>> keyring.get_keyring()
<EncryptedKeyring at /home/fab/.local/share/python_keyring/crypted_pass.cfg>
>>> keyring.set_password("homeassistant", "http_password", "12345")
Please set a password for your new keyring:
Please confirm the password:
>>> keyring.get_password("homeassistant", "http_password")
'12345'Now it works... HA start after the password for the keyring is provided. @kellerza do you have a different experience with the command-line tool? |
|
@fabaff guess you must be using the same user, same venv etc to get the same keyring file. Its a pity the Mine works without any issues, just tested with a new secret. Do you get prompted to enter your keyring password when you start hass? |
|
Good idea, and a validate config script please ;-) |
Description:
Rework of #2262, now based on yaml.py
Option to split secrets from configuration files. Secrets can be stored in (one or both):
secrets.yaml(in same folder as configuration.yaml)Related issue (if applicable): fixes #
Pull request in home-assistant.io with documentation (if applicable): home-assistant/home-assistant.io#
Example entry for
configuration.yaml(if applicable):this secret can be store in
secrets.yamlor in keyring
Checklist:
If user exposed functionality or configuration variables are added/changed:
If the code does not interact with devices:
toxrun successfully. Your PR cannot be merged unless tests pass