Using files for credential storage

[cliaz]

Describe the bug

I am trying to use files to store credentials and other secret material. Due to environmental reasons (namely portainer's lack of being able to define a specific .env file), I am not using .env files. Instead, I am using docker secrets.

However, as I am not running docker swarm, I cannot use proper docker secrets. I am instead using this workaround, which is successful with Watchtower and other containers.

The following compose works for Watchtower to retrieve the gmail password from a folder on the local filesystem

secrets:
  mailer_account_gmail_password:
    file: /mnt/external-workdir/watchtower/secrets/mailer_account_gmail_password

services:  
  watchtower:
    image: containrrr/watchtower:latest
    container_name: watchtower
    network_mode: bridge
    restart: unless-stopped
    secrets:
      - mailer_account_gmail_password
   environment:
    <snip>
WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PASSWORD: /run/secrets/mailer_account_gmail_password 

However it does not work for wyze-bridge:

secrets:
  wyze_bridge_webapp_username:
    file: /mnt/external-workdir/wyzebridge/secrets/wyze_bridge_webapp_username
  wyze_bridge_webapp_password:
    file: /mnt/external-workdir/wyzebridge/secrets/wyze_bridge_webapp_password

services:
  wyze-bridge:
    image: mrlt8/wyze-bridge:latest
    container_name: wyze-bridge
    restart: unless-stopped
    ports:
      <snip>
    secrets:
      - wyze_bridge_webapp_username
      - wyze_bridge_webapp_password
    environment:
      <snip>
      #WB_USERNAME: admin      # this works
      #WB_PASSWORD: admin     # this works
      WB_USERNAME: /run/secrets/wyze_bridge_webapp_username      # this does not work
      WB_PASSWORD: /run/secrets/wyze_bridge_webapp_password      # this does not work
      WB_IP: rpi

The files have 777 perms (for testing), and when I jump into the container I am able to see them mounted and accessible in /run/secrets

root@8def1e53c30f:/run/secrets# ls -la
total 28
drwxr-xr-x 2 root root 4096 Jun  4 05:08 .
drwxr-xr-x 1 root root 4096 Jun  4 05:08 ..
-rwxrwxrwx 1 1020 1020   22 Jun  2 12:07 wyze_account_email
-rwxrwxrwx 1 1020 1020   19 May 10 06:37 wyze_account_password

Environment (if applicable)

• Affected Camera(s): N/A
• Affected Camera Firmware: N/A
• Affected Bridge Version: v2.9.5 (latest at time of writing)
• Bridge type:
  • [x] Docker Compose/Docker Run
  • [ ] Home Assistant
  • [ ] Other

[mrlt8]

I updated the edge build to be able to read from secrets. You should be able to set the follow variables via secrets:

• WYZE_EMAIL
• WYZE_PASSWORD
• API_ID
• API_KEY
• WB_USERNAME
• WB_PASSWORD
• WB_API

You should be able to use secrets with something like:

services:
  wyze-bridge:
    ...
    secrets:
      - WB_USERNAME
secrets:
  WB_USERNAME:
    file: /path/to/local/wbuser

[cliaz]

Amazing. I will be able to test in about 20 hours and will report back.

[cliaz]

Success. This also allows storing the Wyze creds in a file instead of configuring them in the Wyze-bridge WebUI

Details

1. Downloaded those 3 files from the specified commit
2. Copied them to the running wyze-brdige container
3. Saved modified container as a custom image
4. Edited my compose file to run that.

The following works:

services:
  wyze-bridge:
    #image: mrlt8/wyze-bridge:latest
    image: wyze-bridge-secret-edits # local image with edits from commit #1244 99974be
    container_name: wyze-bridge
    restart: unless-stopped
    extra_hosts: *rpi
    ports:
      ...
    secrets:
      - WYZE_EMAIL
      - WYZE_PASSWORD
      - API_ID
      - API_KEY
      - WB_USERNAME
      - WB_PASSWORD
    environment:
      PUID: 1020
      PGID: 1020
      # - TOTP_KEY=/run/secrets/wyze_account_totp
      # [OPTIONAL] IP Address of the host to enable WebRTC e.g.,:
      WB_IP: rpi

secrets:
  WYZE_EMAIL:
    file: /mnt/...wyze_account_email
  WYZE_PASSWORD:
    file: /mnt/.../wyze_account_password
  WYZE_TOTP:
    file: /mnt/.../wyze_account_totp
  API_ID:
    file: /mnt/.../wyze_api_id
  API_KEY:
    file: /mnt/.../wyze_api_key
  WB_USERNAME:
    file: /mnt/...wyze_bridge_webapp_username
  WB_PASSWORD:
    file: /mnt/...wyze_bridge_webapp_password

Are you able to add the the TOTP_KEY as well please?

[mrlt8]

TOTP_KEY is deprecated as wyze has retired the old auth endpoints, and 2fa is not required when using the api key/id.

[letrain02]

possible to add secrets to the wiki? sounds like a great option.