Secrets for Special Agents in CheckMk 2.3


I’m trying to get my plugin working on CheckMk 2.3p1 and I’m struggling getting a secret to my special agent. I’m using the Redfish plugin as reference, but still cannot figure out this:

In the “server_side_calls” file it prepares the command line for the execution of the special agent:


This Secret object is passed as string as a command line parameter:

In the special agent this value gets split into id and path, then the actual password looked up from the password store:

When I print out the Secret in my “server_side_call”, it shows this objects, I don’t see how it could be split by : and it does not contain any path:

Secret(id=140152638596336, format='%s', pass_safely=True)

So I actually have no idea where to take the “path” value from, that the password store lookup needs.

I then found the “unsafe” method of the Secret class. I would prefer to have the “server_side_call” looking up the password and give it to the special agent. This should do what I want:

But when I print the value that is returned by the usafe method, it again does not show me my password:

I would appreciate a little hint on how to get the password to my special agent. I would prefer not to modify the special agent, I’d like the server_side_call to retrieve the password and hand it plaintext as parameter to the special agent.


Here some information about my implementation inside the Redfish mkp.

Example command line with explizit password set.

agent_redfish -u demouser1 --password-id uuid981006ce-29ca-4289-9674-ab3f636cb575:/omd/sites/cmk/var/check_mk/passwords_merged -P https

and here with password store used

agent_redfish -u demouser2 --password-id password_1:/omd/sites/cmk/var/check_mk/passwords_merged -P https

You see in booth versions you have a password id and a path inside the command line.

This object is translated into the command line.
In your special agent how does the command line looks like if shown with “cmk -D hostname”.

Ah yes, I see. The object added to the “command_arguments” ends up differently in the command line parameters used to call the special agent script:

–client_secret uuid98349f98-822b-411e-884f-2130214f3fc0:/omd/sites/monitoring/var/check_mk/passwords_merged

I was actually trying to retrieve the password in the server_side_call script, so I don’t have to modify my special agent and make it dependant on the CheckMk libs.

Any idea how to do that?

Now I got it. When using the unsafe() method on the Secret within the server_side_call, it later gets replaced by the plaintext password that is then given to the special agent: