Secret not work as password in io.kestra.plugin.fs.ssh.Command

[pomazanbohdan]

Describe the issue

If you write the password without a secret, the flow works, if you write it with a secret, it doesn't.

id: com.fprofitable-erp.chocolate-pull
namespace: evo.lab
description: ""

tasks:
  - id: command
    type: io.kestra.plugin.fs.ssh.Command
    authMethod: PASSWORD
    commands:
      - cd odoo/odoo_com_profi_chocolate/odoo_addons_17_nonfree/
      - git pull
    host: 204.12.YYY.XXX
    password: "{{ secret('SERVER_A') }}"
    username: administrator
disabled: false

.env_encoded: SECRET_SERVER_A=eHUqU2Qh#$hTOHpoDQ==

Environment

• Kestra Version: 0.19.2
• Operating System (OS/Docker/Kubernetes): Docker
• Java Version (if you don't run kestra in Docker):

[Ben8t]

@pomazanbohdan can you provide the error you have when using {{ secret() }}please ?

[Ben8t]

@smunteankestra can you try to reproduce please 🙏 ?

[smunteankestra]

I've setup this flow: and added the secret via UI in the Namespace - and it works - checked on kestra latest (0.19.3) @pomazanbohdan can you provide what error it returned and how you've setup the secret?

`id: com.fprofitable-erp.local-ssh-connection namespace: evo.lab description: "Connect to a local machine via SSH and execute commands."

tasks:

• id: ssh_command type: io.kestra.plugin.fs.ssh.Command authMethod: PASSWORD commands:
  • echo "Successfully connected to SSH"
  • pwd host: 192.168.1.197 username: stefanmuntean password: "{{ secret('pwd') }}" # Your password stored in Kestra secrets port: 22 # Default SSH port

disabled: false `

[pomazanbohdan]

I added the secret to the KV store, but the thread also failed. with a connection creds error.

And I would like to use .env_encoded secrets, so I can hide them from users.

[smunteankestra]

@pomazanbohdan You mean you added the "secret" value to the KV store? - tested KV and it also works fine (not a good approach to store a password in a KV store - better use the secrets)

about .env_ecoded: I also get an error io.pebbletemplates.pebble.error.PebbleException: Cannot find secret for key 'SECRET_PWD'. ({{ secret('SECRET_PWD') }}:1)

but when I check via terminal the .env_ecoded

docker exec -it a1858395d567a8694237ffa28cbeb0c5912f49e5bc42f4fdc882550107428003 cat /data/.env_encoded It returns: SECRET_PWD=UGFzc3dvcmQ= SECRET_GITHUB_ACCESS_TOKEN=bXlwYXQ= SECRET_AWS_ACCESS_KEY_ID=bXlhd3NhY2Nlc3NrZXk= SECRET_AWS_SECRET_ACCESS_KEY=bXlhd3NzZWNyZXRhY2Nlc3NrZXk=

What's next: Try Docker Debug for seamless, persistent debugging tools in any container or image → docker debug a1858395d567a8694237ffa28cbeb0c5912f49e5bc42f4fdc882550107428003 Learn more at https://docs.docker.com/go/debug-cli/

@Ben8t might be some issue here?

[pomazanbohdan]

I've setup this flow: and added the secret via UI in the Namespace

Can you take a screenshot of this item? I can't find anything other than KV storage.

[smunteankestra]

@pomazanbohdan Kestra Secrets (on UI) are present only in EE edition

[pomazanbohdan]

I use only CE 😁

[Ben8t]

@pomazanbohdan How did you install Kestra ? With docker-compose ? How do you pass the .env_encoded to the Kestra container ?

Within docker-compose.yml it's usually like this (see env_file key):

kestra:
    image: kestra/kestra:v0.19.3
    ...
    volumes:
      - kestra-data:/app/storage
      - /var/run/docker.sock:/var/run/docker.sock
      - /tmp/kestra-wd:/tmp/kestra-wd
    env_file:
      - .env
    environment:
      KESTRA_CONFIGURATION: |
        ...

[pomazanbohdan]

.env_encoded

👆 In docker-compose .env file i use as "master" password storage and don't use in docker-compose file

[Ben8t]

.env file i use as "master" password storage and don't use in docker-compose file

Can you details a bit more please ? How do you pass the `.env_encoded to the Kestra container then ?

Also an you share the error displayed in Kestra please ?

[pomazanbohdan]

docker-compose.yml

    env_file:
      - .env_encoded

.env_encoded

SECRET_USER=YWRtaW5pc3RyYXRvcg0=

error log

Auth fail for methods 'publickey,password'

[Ben8t]

I'm not able to reproduce on my side with fresh new instance accessible with SSH with user/password set:

id: test_ssh
namespace: company.team
tasks:
  - id: ssh
    type: io.kestra.plugin.fs.ssh.Command
    host: ec2-16-171-255-19.eu-north-1.compute.amazonaws.com
    username: ec2-user
    password: "{{ secret('SSH_PASSWORD') }}"
    commands:
      - ls -altr

This runs fine (secrets set in .env with docker-compose installation Kestra open source 0.19.3). Can you provide more details over your instance, connection details, etc. please ? Are you able to connect to your instance with user and password ?

[anna-geller]

closing given Ben couldn't reproduce

if you still encounter this issue, please share more details, perhaps a couple of screenshots using test secret (redact any sensitive data)