How to store sensitive credentials on RStudio Cloud project?

daattali · 2019-02-07 18:34:17 UTC

I'm wondering if there's a solution yet for how to have a project on RStudio Cloud that uses an API key or some other sensitive credentials, in a safe way such that others won't be able to see or copy this information.

I tried searching for information, and I found two threads from April 2018 that talked about the project vs home directories. Even though the home dir is not copied, @seans gave explicit advice to not store sensitive information there (is it somehow visible to anyone?). I was hoping that by now there is a good way around this. Otherwise, is it expected that we don't use rstudio cloud to showcase any apps that use personal tokens?

seans · 2019-02-08 19:15:33 UTC

The home directory is not copied when a project is copied and is not accessible to all other users. However if the project is in a space the home directory is accessible to moderators and admins of the space. Ultimately we intend to make the home directory only accessible to a particular user but we are still in alpha and we are a ways away from being feature complete.

From your question though I am not sure this feature would solve you problem. It sounds like the app that you want to showcase is dependent on an API key at run time. It's hard for me to see how we could make the API key usable by another user executing the code - but not accessible to them at the same time. Could you elaborate a little on your particular use case?

Sean

daattali · 2019-02-08 19:48:27 UTC

Thanks for the response Sean, and for clarifying that admins do still see the home directory of other users. Is this the main reason that storing credentials in the home directory is not advisable, or are there other ways in which people can see a file in my home dir?

My use case is: I have a shiny app that makes an API call that requires an authenticated API key. I usually place my code on github and gitignore the key file, so that way my code is available for others to replicate. I also host the app on my shiny server or shinyappsio sp others can see a working version of the code, and that app does use my real API key, and that's ok because users can't see my key. I thought rstudio cloud is a great one stop shop for both sharing your code AND showcasing the demo but I don't see how I can use it with my app.

I got this idea from seeing that the Shiny contest requires participants to share their code on rstudio cloud so others can copy the project. How would somebody enter the shiny contest and host on rstudio cloud if their app has any type of credentials file?

alex628 · 2019-02-09 12:49:27 UTC

Have you already looked at keyring?

jdlong · 2019-02-09 14:25:42 UTC

I know of no simple (or even complex) way to have a secret in R which a normal user of R can't access.

daattali · 2019-02-11 19:32:58 UTC

@seans @jdlong so is it correct to say that as of now, it's not possible to share any code that makes API calls on rstudio.cloud? And by extension, any submissions to the Shiny contest should not make any use of authenticated APIs?

jdlong · 2019-02-12 12:45:11 UTC

No you can make all the API calls you want... but you can't have any secrets

So (as far as I know) there is no way in any R session (Cloud or local) to have secrets which the user is incapable of (eventually) extracting. This is more of a general computing axiom rather than an R thing. Think about how DVD Jon extracted the DVD encryption keys out of DVD players. This is the same problem only we're trying to hide secrets on a fully functioning end user computer with multiple programming environments.

seans · 2019-02-12 13:41:36 UTC

How this impacts the shiny contest submission is a bit of a question. The desire is to have the submissions run from cloud so (if possible) making the submission run without the API interaction would be the best option.

If there is really tight coupling between the API and the shiny application though you could leave the API keys out of the project code. In that case you would need to add clear comments/instructions in the code about where to acquire and place the API keys in order for your submission to run successfully.

Sean

mine · 2019-02-12 14:35:40 UTC

Re: Shiny contest

If you have a submission that requires credentials, I would recommend including all the necessary instructions for someone else reproducing your app to obtain an API key and where and how they should store it in their home directory so that when they make a copy of your RStudio Cloud space they get the code (but not your API key) but they can recreate your setup for reproducing your app.

daattali · 2019-02-12 15:48:03 UTC

@mine that's along the lines of what I was thinking, because i don't necessarily care if someone is able to run the app as-is, I always remove the credentials and add instructions on how to create them. But @seans mentioned that even me storing my credentials in my home dir isn't safe and completely private.

Is there no way to have a private file in the cloud that is only accessible to me?

mine · 2019-02-12 19:34:47 UTC

If you're using an RStudio Cloud project created in your personal workspace ("Your Workspace"), your home directory will not be copied when the project is copied.

If however the project is in a workspace that has other non-contributor level users (e.g. you're an instructor/admin, and you have TAs/moderators), your home directory would be accessible to them.

daattali · 2019-02-12 19:49:24 UTC

Thanks Mine!

To clarify:

If I start my own project in my own space, nobody can see files in my home dir
And if someone copies my project, nobody will have access to their home dir

(Unless it's done in a space with another admin)

Is that correct?

woodward · 2019-02-12 23:29:38 UTC

I don't quite understand. So for the Shiny Contest, I have uploaded my project files into RStudio Cloud "Your Workspace" / project_name, including a google.api file which my app requires to run. So how do I now give everyone access without sharing my api key file?

jdlong · 2019-02-13 00:06:59 UTC

You can't. But you could include instructions on how others could get an api key so they could run it with their own key.

mine · 2019-02-13 01:36:12 UTC

As long as you don't add another user to your shinyapps.io account, this is correct. Since the accounts are shared between shinyapps.io and RStudio Cloud, even though you can't add users to your RStudio Cloud account, you could conceivably add someone to your shinyapps.io account, who could then access your RStudio Cloud account, and hence everything in the home directory of projects in your personal workspace.

But I should also note that this is probably an unlikely circumstance anyway.

daattali · 2019-02-14 01:14:54 UTC

Good to know about that shinyappsio --> RStudio Cloud connection!

I don't know if this is already on the (probably very very long) list of items to support in the cloud platform, but either offering a solution or some official documentation about this topic would be helpful before it graduates from beta

mara · 2019-02-14 16:11:56 UTC

Or, rather, to beta. It's still in alpha. (Or, if not, we should probably change the header for this category).

daattali · 2019-02-14 16:27:10 UTC

Yep, that was my (too subtle) way to say that I'm not expecting this to be fixed any time soon, since I realize it has so much time until it will be considered a stable product