PlatformIO Community

Platformio.ini and sensitive data

Hi!
I have project using ESP8266. It is public, it has public git repo. Developers are using many different configurations and some are uploading code to ESP via serial and some want to use OTA updates. Firmware has enabled checking password on upload. Adding upload_flags with --auth=PASSWORD to platformio.ini is not acceptable solution, since:

  1. it would save password in git repository
  2. these are different password in each case
  3. probably uploader (esptool) will complain about unrecoginzed option when upload_flags are present for regular serial upload

There is no option (or I could not find) to set upload_flags via CLI.

Is there some solution which allows to use both upload via serial and OTA with password?

I was trying to use dynamic build flags, but it looks like bang syntax is recognized only with build_flags option. I have written simple python script which outputs given text file or some default value if file is not present. Then each developer could have own file with --auth directive and that file would be in gitignore. But as I said - it looks like !python script.py syntax is not recognized by PIO when used with upload_flags

Other solution would be to get some possibility to include files to platformio.ini and that values from included files would overwrite previous values. That way we could include local sensitive data (assuming PIO won’t complain when included file is not present). File would be in gitignore and each developer can provide own .ini values.

Or just way to set bot upload_flags and upload_protocol via CLI would be enough (uploading code from CLI is good enough solution)

Best regards,

If you want minmal user interaction you can also create two environments ([env:xx]) , one configured for serial upload, other for OTA, where the password is retrieved by one of the methods below

Well either

  1. Put a blank / example password in the platformio.iniwith a comment to change it for the use case and expect people to never push their creds
  2. Use extra_configs directive with e.g.
[platformio]
extra_configs = upload_params.ini

[env:nodemcuv2]
platform = espressif8266
board = nodemcuv2
framework = arduino

and then upload_params.ini as

; applies to all environments
; or use "extends" (https://docs.platformio.org/en/latest/projectconf/section_env_advanced.html#extends)
[env] 
upload_protocol = espota
upload_port = IP_ADDRESS_HERE or mDNS_NAME.local
upload_flags = --auth=MYPASSSWORDHERE

which is then .gitignore'd so that it is never pushed (but a template for this file is pushed, e.g.). That way there’s some controllable separation.

  1. Use ${sysenv.VARIABLE} syntax in platformio.ini to easily extract values from the system’s environment variables, as documented
  2. Use advanced scripting to change upload flags programatically if more complicated logic is needed (overkill here).
[env:nodemcuv2_ota]
platform = espressif8266
board = nodemcuv2
framework = arduino
upload_protocol = espota
upload_port = 192.168.1.192
extra_scripts = get_ota_params.py

[env:nodemcuv2_serial]
platform = espressif8266
board = nodemcuv2
framework = arduino
; upload via serial (default anyways)
upload_protocol = esptool

and then get_ota_params.py

import os 
Import("env")
#print(env.Dump())
# already set
#env["UPLOAD_PROTOCOL"] = "espota"
# get OTA password.. from e.g. env variables, or from a text file, ..
pw = os.getenv("ESP_OTA_PASSWORD", default=None)
if pw is None:
    print("!! No ESP OTA password given!! Define the environment variable ESP_OTA_PASSWORD")
    # hard exit if wanted
    #env.Exit(1)
else:
    # append to upload flags
    env.Append(UPLOADERFLAGS = [
        "--auth",
        pw
    ])
# you can also set the "upload port" = ip / mDNS name here if needed 
#env["UPLOAD_PORT"] = "192.168.1.192"

To be run environments can also be selected in the CLI via pio run -e <environment name> commands.

(pio run -t upload -v is useful to verify the correctness of the script)

Thank You for Your reply. I have totally missed extra_configs directive. That is exactly what I needed.