keyring on amazon ec2

kaushiklakshman · July 4, 2019, 5:36am

Hi everyone,

In our data science team we use the keyring package to handle credentials. Currently we all work on Windows desktops so the default windows credential store gets used.

Now, we are in the processing of operationalising some of our scripts and are setting up an Amazon EC2 instance to do this. However I've just found out that keyring doesn't play well on linux.

When I execute a key_set I get the following warning message.

keyring::key_set(service = "test", username = "test")
Password: *******
Warning message:
In default_backend_auto() :
  Selecting ‘env’ backend. Secrets are stored in environment variables

I can retrieve the key using key_get but obviously if I leave the R session and come back into it I get an error.

keyring::key_get(service = "test", username = "test")
Error in b_env_get(self, private, service, username, keyring) :
  Cannot find password
In addition: Warning message:
In default_backend_auto() :
  Selecting ‘env’ backend. Secrets are stored in environment variables

I have installed libsodium-dev as it is an Ubuntu EC2 instance. A quick google seems to suggest the default backend can't be changed without a GUI

We were also pondering Rstudio connect on AWS in the future. Will this likely be an issue on that too?

What are other solutions you use/ have seen used to counter this?

Thank you!

kaushiklakshman · July 5, 2019, 6:55am

I've found the solution myself for what its worth.

The trick is to change the default backend to a file based backend.

kb <- keyring::backend_file$new()
kb$keyring_create('some_keyring_name')
kb$set(service = 'test', username = 'test', keyring = 'some_keyring_name')

Point to note: file based keyrings are locked with a password and need to be unlocked. Also might be worth setting the default backend to file using the .Renviron file

cole · July 5, 2019, 7:58pm

Very interesting! Good find! This is definitely something I want to dig into, because keyring on RStudio Server or RStudio Connect seems like a really compelling toolchain!

If you encounter problems (or solutions!) in either case, please do come create a thread to discuss here! I think you're definitely in the right place

I would guess that (on RStudio Connect) the environment pane would be something you'd use to pass the necessary secret to "unlock" the file, perhaps?

https://docs.rstudio.com/connect/user/settings-panel.html#content-vars

system · July 12, 2019, 7:58pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

nathan · April 27, 2021, 3:59pm

The keyring package now detects Linux server environments and sets the file backend by default. You should not need to set the backend manually any longer keyring::backend_file$new(). However, you still need to install the libsodium package as a server admin on Linux.

For a simpler interface to they keyring package, I suggest creating the system keyring keyring::keyring_create("system") and using rstudioapi::askForSecret().

Install the latest version of keyring from Github:

remotes::install_github("r-lib/keyring")
keyring::keyring_create("system")
rstudioapi::askForSecret("test")