Balena Dash Chromium Kiosk Mode Env Variables


I am trying to securely authenticate my balena kiosks running chromium with my backend upon start-up

Is there any way for me to inject an API key/auth token through balena cloud into my chromium instance?


Hi Patrick,
You can probably pass them as environment variables to your application. So you can probably add them manually through the balenaCloud dashboard.
You can specify the variables to apply to all the devices of your application, or specify a different one for each device.
By using service variables or device service variables you can even limit the variable being available to just a single container.
Let me point you to our respective balenaCloud dashboard and CLI docs:

If you would prefer a programmatic API then you can use the respective balena-SDK methods and setup a service on your side that interacts with the balena-api and sets your API keys to the respective device.
Let me also point you to the respective docs for the SDK methods:

Kind regards,

Thanks @thgreasi

Would there be any way for me to inject this ENV variable into the Chromium instance, i.e into its cookies?

Hi again Patrick.
Environment variables defined with the above methods get injected to the environment of the container. For example you can see a list of all available variables by SSHing to the container and run env.
An alternative way that sounds it would better match your use case (please further expand if it doesn’t) is to use the HTTP API that the supervisor exposes to the internal network of the devices.
In that case your app (eg a webapp running in chromium) can do a http request to the supervisor to retrieve more information about the application and its env vars. Let me point you to the respective docs:

If this doesn’t work for you web app, you might better consider having a simple node web server running on a known port and responding with the subset of ENVs that the chromium instance needs to know.
This way your chromium instance can do an HTTP request to that known port instead of having to use the supervisor API directly.
This also leads to better isolation and gives more controlled of what gets exposed to the chromium instance.
Let me point you to an example of a multicontainer application:

Kind regards,

Thanks @thgreasi

I think the supervisor API is just what I need, I will report on this thread if I figure it out :+1:

@thgreasi, I am still having some trouble with this:

I can get the following working in my Kiosk container:
curl "$BALENA_SUPERVISOR_ADDRESS/v2/local/target-state/?apikey=$BALENA_SUPERVISOR_API_KEY"

However a fetch request from the chromium instance web app:

fetch('${BALENA_SUPERVISOR_API_KEY}', { method: 'GET', headers: { 'Content-Type': 'application/json' } })

Returns only the following:

Here are the resposne headers:
Allow: GET,HEAD,POST Connnection: Keep-alive Content-lenght: 13 Content-Type: text/html
Any idea why this is now working?

To give more context, I am running a web app on my local network which can be accessed at
When the balena starts up it’s url is injected with the API key:
I then use that key to perform the authentication request and clear the key from the URL

Another bit of information,

I have tried using HTTP and HTTPS