How to use os secret store?

SpiderD555 · January 26, 2023, 3:15pm

I am trying to use the secrets store plugin to encrypt plaintext passwords and I am failing to do so.
I can set the password in store, check that it is present there, but when I test configuration (with --test flag) then I get TOML parsing error
This is the line I am trying put into the configuration
auth_password = @{local_secrets:mysnmpuser}
also tried this without success:
auth_password = @local_secrets:mysnmpuser

My main configuration file has the secret store configured properly in this way:

[[secretstores.os]]
id = "local_secrets"

Test shows that secrets are loaded properly during startup phase.

Please help me create proper configuration string to fetch password from os secret store.

jpowers · January 26, 2023, 3:36pm

Hi,

Take a look at the configuration docs, which shows:

    password = "@{local_secrets:cloud_store_passwd}"

You need to set the value to a string.

SpiderD555 · January 27, 2023, 7:31am

Thanks for the tip, now it works properly

SpiderD555 · February 13, 2023, 10:32am

I am doing some more tests, and what seems to have worked back then isn’t now.
Can you check what do I do wrong @jpowers ?

I am trying to use store in the way you describe it, and yet I am getting SNMP errors now:
“wrong digest (auth_protocol, auth_password)”

My configuration looks like this:

   ## SNMP community string.
   # SNMPv3 auth parameters
   sec_name = "mysnmp"
   auth_protocol = "SHA"      # Values: "MD5", "SHA", ""
   auth_password = "@{local_secrets:mysnmp}"
   sec_level = "authPriv"     # Values: "noAuthNoPriv", "authNoPriv", "authPriv"
   context_name = "ctxname_vsid7"
   priv_protocol = "AES"         # Values: "DES", "AES", ""
   priv_password = "@{local_secrets:mysnmp_priv}"

When I try to list secrets from command line it all succeeds:

# telegraf secrets list
2023/02/13 10:55:26 I! Using config file: /etc/telegraf/telegraf.conf
2023/02/13 10:55:26 I! Using config file: /etc/telegraf/telegraf.conf
Known secrets for store "local_secrets":
    mysnmp
    mysnmp_priv
    mysnmp_protocol

When I put plaintext passwords then it all works.

Interesting thing is that when I try to use priv protocol variable from secrets store, then it also fails, but with different error:

priv_protocol = "@{local_secrets:mysnmp_protocol}"

2023-02-13T10:25:38Z E! [inputs.snmp::/etc/telegraf/telegraf.d/checkpoint.conf] Error in plugin: agent 10.1.1.1: invalid privProtocol

It is as if it didn’t load secrets properly.

I tested it on 1.25.0 and 1.25.1 Telegraf versions

jpowers · February 13, 2023, 1:44pm

I am getting SNMP errors

I do not believe snmp has support for secret stores yet, only snmp_trap.

Topic		Replies	Views
Secret Stores OS loading too many secrets Telegraf	7	99	March 13, 2024
How to get secrestore value while running telegraf a service Telegraf	3	261	May 10, 2023
Secretstores plugin not decoding password for Rabbit MQ plugin on Windows Telegraf	2	80	March 20, 2024
SQLServer Secret error Telegraf	3	349	June 27, 2023
Unable To Use Keyring Created Using keyctl Via Code Telegraf	2	252	November 13, 2023

How to use os secret store?

Related Topics