Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.
Device management + MDM Orchestration + monitoring Software management + CVEs, usage, app library Integrations
Get started Guides Vitals Queries Policies Software OS settings Data tables API SUPPORT Chat Contribute Release notes "Why is Fleet on my computer?" Get your license
Stories
What people are saying News Ask around Take a tour Meetups COMPANY Origins   (Fleet & osquery) The handbook Logos/artwork Why open source?
Pricing Try it yourself
{{thisPage.meta.articleTitle}}
search

Hide secrets in scripts in configuration profiles

{{articleSubtitle}}

| The author's GitHub profile picture

Victor Lyuboslavsky

Share this article on Hacker News Share this article on LinkedIn Share this article on Twitter
Docs Docs REST API REST API Guides Guides Talk to an engineer Talk to an engineer

Hide secrets in scripts in configuration profiles

{{articleSubtitle}}

| The author's GitHub profile picture

Victor Lyuboslavsky

Hide secrets in scripts in configuration profiles

In Fleet you can hide secrets, like API tokens or software license keys, in Fleet scripts and configuration profiles. Secrets are encrypted and stored securely in Fleet, until they're delivered to the host. Secrets are hidden in when the script or configuration profile is viewed in the Fleet UI or API.

Currently, hiding secrets is only available using Fleet's YAML (GitOps).

How to specify a secret

A secret can be used in a script or configuration profile by specifying a variable in the format $FLEET_SECRET_MYNAME or ${FLEET_SECRET_MYNAME}. When the script or profile is sent to the host, Fleet will replace the variable with the actual secret value. The prefix FLEET_SECRET_ is required to indicate that the variable is a secret, and Fleet reserves this prefix for secret variables.

For macOS and Linux scripts, if a secret doesn't have the $FLEET_SECRET_ prefix, it will be treated as a local environment variable.

  1. You must add the secret to your repository's secrets to use them in GitOps.

  2. For the GitHub GitOps flow, they must also be added to the env section of your workflow file, as shown below:

    env:
      ###  Variables used by the gitops workflow ###
      FLEET_URL: ${{ secrets.FLEET_URL }}
      FLEET_API_TOKEN: ${{ secrets.FLEET_API_TOKEN }}
      FLEET_GLOBAL_ENROLL_SECRET: ${{ secrets.FLEET_GLOBAL_ENROLL_SECRET }}
      FLEET_WORKSTATIONS_ENROLL_SECRET: ${{ secrets.FLEET_WORKSTATIONS_ENROLL_SECRET }}
      FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET: ${{ secrets.FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET }}
      ### Secrets uploaded to Fleet for use in profiles and scripts ###
      FLEET_SECRET_CERT_PASSWORD: ${{ secrets.FLEET_SECRET_CERT_PASSWORD }}
      FLEET_SECRET_CERT_BASE64: ${{ secrets.FLEET_SECRET_CERT_BASE64 }}
  1. Add your script or profile. Here's an example profile with $FLEET_SECRET_CERT_PASSWORD and $FLEET_SECRET_CERT_BASE64 secrets:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadDisplayName</key>
    <string>Certificate PKCS12</string>
    <key>PayloadIdentifier</key>
    <string>com.example.certificate</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>918ee83d-ebd5-4192-bcd4-8b4feb750e4b</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>PayloadContent</key>
    <array>
      <dict>
            <key>Password</key>
            <string>$FLEET_SECRET_CERT_PASSWORD</string>
            <key>PayloadContent</key>
            <data>$FLEET_SECRET_CERT_BASE64</data>
            <key>PayloadDisplayName</key>
            <string>Certificate PKCS12</string>
            <key>PayloadIdentifier</key>
            <string>com.example.certificate</string>
            <key>PayloadType</key>
            <string>com.apple.security.pkcs12</string>
            <key>PayloadUUID</key>
            <string>25cdd076-f1e7-4932-aa30-1d4240534fb0</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
    </array>
</dict>
</plist>

When GitOps syncs the configuration, it looks for secret variables in scripts and profiles, extracts the secret values from the environment, and uploads them to Fleet.

On subsequent GitOps syncs, if a secret variable used by a configuration profile has been updated, the profile will be resent to the host device(s).

An icon indicating that this section has important information

Profiles with secret variables are not entirely validated during a GitOps dry run because secret variables may not be present/correct in the database during the dry run. Hence, there is an increased chance of GitOps non-dry run failure when using a profile with a secret variable. Try uploading this profile to a test team first.

Escaping and interpolation

The dollar sign ($) can be escaped so it's not considered a variable by using a backslash (e.g. \$100). Additionally, MY${variable}HERE syntax can be used to put strings around the variable.

Known limitations and issues

  • Windows profiles are currently not re-sent to the device when the GitHub action (or GitLab pipeline) runs: issue #25030
  • Fleet does not hide the secret in script results. DO NOT print/echo your secrets to the console output.
  • There is no way to explicitly delete a secret variable. Instead, you can overwrite it with any value.
  • Do not use deprecated API endpoint(s) to upload profiles containing secret variables. Use endpoints documented in Fleet's REST API.