4 Secret user macros

Zabbix provides two options for protecting sensitive information in user macro values:

  • Secret text
  • Vault secret

While the value of a secret macro is hidden, it can be revealed through use in items. For example, in an external script, an echo statement referencing a secret macro may be used to reveal the macro value to the frontend, because Zabbix server has access to the real macro value. See Unmasked locations for a list of locations where secret macro values are unmasked.

Secret macros cannot be used in trigger expressions.

Secret text

With Secret text macros, the macro value is masked with asterisks.

To make a macro value secret, click on the button at the end of the Value field and select the Secret text option:

Once the configuration is saved, it will no longer be possible to view the value.

To change the macro value, hover over the Value field and click the Set new value button (appears on hover):

When you click the Set new value button (or change the macro value type), the current value will be erased. You can restore the original value by clicking the arrow at the end of the Value field (only available before saving the new configuration). Note that restoring the original value will not expose it.

URLs that contain a secret macro will not work, as the macro in them will be resolved as "******".

Vault secret

With Vault secret macros, the macro value is stored in an external secret management software (vault).

To configure a Vault secret macro, click on the button at the end of the Value field and select the Vault secret option:

The macro value must point to a vault secret. The input format depends on the vault provider. For provider-specific configuration examples, see:

Vault secret macro values are retrieved from the vault by Zabbix server on every refresh of configuration data and then stored in the configuration cache.

Zabbix proxy receives values of vault secret macros from Zabbix server on each configuration sync and stores them in its own configuration cache. The proxy never retrieves macro values from the vault directly. That means a Zabbix proxy cannot start data collection after a restart until it receives the configuration update from Zabbix server.

To manually refresh secret values from the vault, use the secrets_reload runtime control option.

Encryption must be enabled between Zabbix server and proxy; otherwise a server warning message is logged.

If a macro value cannot be retrieved successfully, the corresponding item using the value will turn unsupported.

Unmasked locations

This list provides locations of parameters where secret macro values are unmasked.

Context Parameter
Items
Item Item key parameters
SNMP agent SNMP community
Context name (SNMPv3)
Security name (SNMPv3)
Authentication passphrase (SNMPv3)
Privacy passphrase (SNMPv3)
HTTP agent URL
Query fields
Post
Headers
User name
Password
SSL key password
Script Parameters
Script
Browser Parameters
Script
Database monitor SQL query
TELNET agent Script
User name
Password
SSH agent Script
User name
Password
Simple check User name
Password
JMX agent User name
Password
Item value preprocessing
JavaScript preprocessing step Script
Web scenarios
Web scenario Variable value
Header value
URL
Query field value
Post field value
Raw post
Web scenario authentication User
Password
SSL key password
Connectors
Connector URL
Username
Password
Token
HTTP proxy
SSL certificate file
SSL key file
SSL key password
Network discovery
SNMP SNMP community
Context name (SNMPv3)
Security name (SNMPv3)
Authentication passphrase (SNMPv3)
Privacy passphrase (SNMPv3)
Global scripts
Webhook JavaScript script
JavaScript script parameter value
Telnet Username
Password
SSH Username
Password
Script Script
Media types
Script Script parameters
Webhook Parameters
IPMI management
Host Username
Password