Accessing Secret values in scripts

[bluecmd]

Hello,

I am trying to figure out how the Secrets functionality is meant to be used in Netbox.
One possible use might be to keep API keys for scripts for devices they might run against - but I cannot seem to make that work.

I get as far as being able to get the Secret instance, but unsurprisingly the .plaintext property is None.
E.g.:

apirole = SecretRole.objects.get(name='api')
apisecret = Secret.objects.get(role=apirole, assigned_object_id=switch.id)
self.log_success(f'Dumping secret data: {apisecret.plaintext}')

If I go to https://my-netbox/api/secrets/secrets/ I can see the plaintext attribute. I understand this is because I have X-Session-Key available due to being "logged in" to a secrets session. It seems when my user starts a script that session is not attached/associated with the script run.

Is this working as intended? If so, it seems to me that accessing Secrets in scripts is impossible by design.

[candlerb]

From a quick look at the code, to set the plaintext attribute on the secret object, you need to call its decrypt method, passing in the master key (which in turn you could get from decrypting a user key)

However, secrets are in the process of being removed into a plugin, so if you want to use them - especially via an API - you'd probably be better off using something like Hashicorp Vault.