configuration.yaml file is a plain-text file, thus it is readable by anyone who has access to the file. The file contains passwords and API tokens which need to be redacted if you want to share your configuration. By using
!secret you can remove any private information from your configuration files. This separation can also help you to keep easier track of your passwords and API keys, as they are all stored at one place and no longer spread across the
configuration.yaml file or even multiple YAML files if you split up your configuration.
The entries for password and API keys in the
configuration.yaml file usually looks like the example below.
homeassistant: auth_providers: - type: legacy_api_password api_password: YOUR_PASSWORD
Those entries need to be replaced with
!secret and an identifier.
homeassistant: auth_providers: - type: legacy_api_password api_password: !secret http_password
secrets.yaml file contains the corresponding password assigned to the identifier.
When you start splitting your configuration into multiple files, you might end up with configuration in sub folders. Secrets will be resolved in this order:
secrets.yamllocated in the same folder as the YAML file referencing the secret,
- next, parent folders will be searched for a
secrets.yamlfile with the secret, stopping at the folder with the main
keyringwill be queried for the secret (more info below).
To see where secrets are being loaded from, you can either add an option to your
secrets.yaml file or use the
Option 1: Print where secrets are retrieved from to the Home Assistant log by adding the following to
This will not print the actual secret’s value to the log.
Option 2: To view where secrets are retrieved from and the contents of all
secrets.yaml files used, you can use the
check_config script from the command line:
$ hass --script check_config --secrets
This will print all your secrets.