[systemd-devel] How to get Credential into Environment variable?

chandler scar at riseup.net
Tue Sep 26 11:39:56 UTC 2023


Hi all,

    I'm not quite grasping something here... I've just learned about
`systemd-creds` and now trying to utilize it with a service which
depends on a secret stored in an environment variable (or passed as a
CLI option).

Normally I could use a line like:

`Environment=SEC=1234`

Now I've:

1) Given "1234" to `systemd-ask-password -n | systemd-creds encrypt
--name=secret --pretty - -`
2) Put the resulting `SetCredentialEncrypted=secret: ...` under the
[Service] section
3) Failing with `Environment=SEC=%d/secret`

Now `SEC=/run/credentials/myService.service/secret` but I need the value
from the file, which I verified with a simple `ExecStart=checkEnv.sh`
which runs `cat ${SEC}` which prints `1234`.

Also tried putting the secret, e.g. "1234", into a temp file `/tmp/sec`
and ran:

`systemd-creds encrypt --name=secret --pretty /tmp/sec -`

but the results are the same.

How to get `SEC=1234` basically?  I have to use `ExecStartPre=` and run
a pre-script that defines `SEC` with shell code?  Something like
`SEC=$(cat %d/secret)` is all that's needed right?  Or it needs to be
exported too at this point?  Doesn't that defeat the purpose of
`systemd-creds` now?  Maybe I can just put that in the `ExecStart=` line
instead... will keep trying in the mean time

Thanks



More information about the systemd-devel mailing list