[comment]: # ({9a839c05-f9e8f670}) # 4 Secret user macros [comment]: # ({/9a839c05-f9e8f670}) [comment]: # ({1ec59739-8b3f0169}) #### Overview Zabbix provides two options for protecting sensitive information in user macro values: - Secret text - Vault secret ::: noteclassic While the value of a secret macro is hidden, it can be revealed through use in items. For example, in an external script, an `echo` statement referencing a secret macro may be used to reveal the macro value to the frontend, because Zabbix server has access to the real macro value. See [locations](#unmasked-locations) where secret macro values are unmasked. ::: Secret macros cannot be used in trigger expressions. [comment]: # ({/1ec59739-8b3f0169}) [comment]: # ({cc2edd9c-740aad18}) #### Secret text With Secret text macros, the macro value is masked with asterisks. To make a macro value secret, click on the button at the end of the *Value* field and select the *Secret text* option: ![](../../../../assets/en/manual/config/macros/macro_value_type.png) Once the configuration is saved, it will no longer be possible to view the value. To change the macro value, hover over the *Value* field and click the *Set new value* button (appears on hover): ![](../../../../assets/en/manual/config/macros/macro_type_secret2.png) When you click the *Set new value* button (or change the macro value type), the current value will be erased. You can restore the original value by clicking the ![](../../../../assets/en/manual/config/macros/macro_type_secret3.png) arrow at the end of the *Value* field (only available before saving the new configuration). Note that restoring the original value will not expose it. ::: noteclassic URLs that contain a secret macro will not work, as the macro in them will be resolved as "\*\*\*\*\*\*". ::: [comment]: # ({/cc2edd9c-740aad18}) [comment]: # ({5897e6d9-480b89ed}) #### Vault secret With Vault secret macros, the macro value is stored in an external secret management software (vault). To configure a Vault secret macro, click on the button at the end of the *Value* field and select the *Vault secret* option: ![](../../../../assets/en/manual/config/macros/macro_value_type1.png) The macro value must point to a vault secret. The input format depends on the vault provider. For provider-specific configuration examples, see: - [HashiCorp](/manual/config/secrets/hashicorp#retrieving-user-macro-values) - [CyberArk](/manual/config/secrets/cyberark#user-macro-values) [comment]: # ({/5897e6d9-480b89ed}) [comment]: # ({54bb4ce1-94cba921}) Vault secret macro values are retrieved from the vault by Zabbix server (and Zabbix proxy, if *Resolve secret vault macros by* is [set to](/manual/web_interface/frontend_sections/administration/general#other) *Zabbix server and proxy*) on every refresh of configuration data and then stored in the configuration cache. Zabbix server and Zabbix proxy may use different vaults. If *Resolve secret vault macros by* is [set to](/manual/web_interface/frontend_sections/administration/general#other) *Zabbix server*, then vault secrets are retrieved by server only and Zabbix proxy receives values of Vault secret macros from Zabbix server on each configuration sync and stores them in its own configuration cache. That means a Zabbix proxy cannot start data collection after a restart until it receives the configuration update from Zabbix server. To manually refresh secret values from the vault, use the `secrets_reload` [runtime control](/manual/concepts/server#runtime-control) option (server only). Encryption must be enabled between Zabbix server and proxy; otherwise a server warning message is logged. ::: notewarning If a macro value cannot be retrieved successfully, the corresponding item using the value will turn unsupported. ::: [comment]: # ({/54bb4ce1-94cba921}) [comment]: # ({eff6108b-03aa95bd}) #### Unmasked locations This list provides locations of parameters where secret macro values are unmasked. ::: noteclassic Secret macro values will remain masked in the locations below if referenced indirectly. For example, {ITEM.KEY}, {ITEM.KEY<1-9>}, {LLDRULE.KEY} [built-in macros](/manual/appendix/macros/supported_by_location#items) used in media types (Script or Webhook parameters) will resolve to item keys containing masked secret macros, such as `net.tcp.port[******,******]` instead of `net.tcp.port[192.0.2.0,80]`. ::: |Context|<|Parameter| |-|----------|------------------------------| |**Items, item prototypes, LLD rules**|<|<| | |Item|*Item key parameters*| |^|Item prototype|*Item prototype key parameters*| |^|Low-level discovery rule|*Discovery item key parameters*| |^|SNMP agent|*SNMP community*| |^|^|*Context name* (SNMPv3)| |^|^|*Security name* (SNMPv3)| |^|^|*Authentication passphrase* (SNMPv3)| |^|^|*Privacy passphrase* (SNMPv3)| |^|HTTP agent|*URL*| |^|^|*Query fields*| |^|^|*Request body*| |^|^|*Headers*| |^|^|*User name*| |^|^|*Password*| |^|^|*SSL key password*| |^|Script|*Parameters*| |^|^|*Script*| |^|Browser|*Parameters*| |^|^|*Script*| |^|Database monitor|*SQL query*| |^|TELNET agent|*Script*| |^|^|*User name*| |^|^|*Password*| |^|SSH agent|*Script*| |^|^|*User name*| |^|^|*Password*| |^|Simple check|*User name*| |^|^|*Password*| |^|JMX agent|*User name*| |^|^|*Password*| |**Item value preprocessing**|<|<| | |JavaScript preprocessing step|*Script*| |**Web scenarios**|<|<| | |Web scenario|*Variable value*| |^|^|*Header value*| |^|^|*URL*| |^|^|*Query field value*| |^|^|*Post field value*| |^|^|*Raw post*| |^|Web scenario authentication|*User*| |^|^|*Password*| |^|^|*SSL key password*| |**Connectors**|<|<| | |Connector|*URL*| |^|^|*Username*| |^|^|*Password*| |^|^|*Token*| |^|^|*HTTP proxy*| |^|^|*SSL certificate file*| |^|^|*SSL key file*| |^|^|*SSL key password*| |**Network discovery**|<|<| | |SNMP|*SNMP community*| |^|^|*Context name* (SNMPv3)| |^|^|*Security name* (SNMPv3)| |^|^|*Authentication passphrase* (SNMPv3)| |^|^|*Privacy passphrase* (SNMPv3)| |**Global scripts**|<|<| | |Webhook|*JavaScript script*| |^|^|*JavaScript script parameter value*| |^|Telnet|*Username*| |^|^|*Password*| |^|SSH|*Username*| |^|^|*Password*| |^|Script|*Script*| |**Media types**|<|<| | |Script|*Script parameters*| |^|Webhook|*Parameters*| |**IPMI management**|<|<| | |Host|*Username*| |^|^|*Password*| [comment]: # ({/eff6108b-03aa95bd})