26

I want to pass secure parameters to shinyapps.io deployment so my application could get them via:

Sys.getenv('PASSWORD_X')

I cannot find anything for this in deployApp function in the rsconnect package.

Bulat
  • 6,869
  • 1
  • 29
  • 52
  • 1
    Good question in general. But on a note regarding security, once you pass these parameters to shinyapps.io they’re no longer secure: you’ve given them to a third party. – Konrad Rudolph Aug 22 '16 at 16:23
  • well, that is true about any third party, e.g. amazon will have our keys – Bulat Aug 22 '16 at 16:31
  • btw, any other method of sending keys so App could read say from S3 will be helpful. Current option I have is sending keys in a text file (e.g. json) but I will have to set env vars anyway as all aws related packages are implemented this way. – Bulat Aug 22 '16 at 17:23
  • 2
    You'd have to seriously distrust Amazon EC2 administrators or the implementation of their hypervisor if you really believe that "Amazon will have your keys" if you use environment variables for secrets on an EC2 instance. – hrbrmstr Sep 20 '16 at 02:59
  • @hrbrmstr you are right, I don't believe that. Same can be true about Shiny. – Bulat Sep 22 '16 at 12:01

1 Answers1

22

You can use Renviron.site or .Renviron to store and access private data into your shiny application. (see here for Hadley Wickham's recommendations and instructions - ref example below).

Solution:

Storing API Authentication Keys/Tokens (Attribution: Hadley Wickham)

If your package supports an authentication workflow based on an API key or token, encourage users to store it in an environment variable. We illustrate this using the github R package, which wraps the Github v3 API. Tailor this template to your API + package and include in README.md or a vignette.

  1. Create a personal access token in the Personal access tokens area of your GitHub personal settings. Copy token to the clipboard.
  2. Identify your home directory. Not sure? Enter normalizePath("~/") in the R console.
  3. Create a new text file. If in RStudio, do File > New File > Text file.

  4. Create a line like this:

    GITHUB_PAT=blahblahblahblahblahblah

where the name GITHUB_PAT reminds you which API this is for and blahblahblahblahblahblah is your personal access token, pasted from the clipboard.

  1. Make sure the last line in the file is empty (if it isn’t R will silently fail to load the file. If you’re using an editor that shows line numbers, there should be two lines, where the second one is empty.

  2. Save in your home directory with the filename .Renviron. If questioned, YES you do want to use a filename that begins with a dot ..

    • Note that by default dotfiles are usually hidden. But within RStudio, the file browser will make .Renviron visible and therefore easy to edit in the future.

  3. Restart R. .Renviron is processed only at the start of an R session.

  4. Use Sys.getenv() to access your token. For example, here’s how to use your GITHUB_PAT with the github package:

    library(github)
ctx <- create.github.context(access_token = Sys.getenv("GITHUB_PAT"))
# ... proceed to use other package functions to open issues, etc.

FAQ: Why define this environment variable via .Renviron instead of in .bash_profile or .bashrc?

Because there are many combinations of OS and ways of running R where the .Renviron approach “just works” and the bash stuff does not. When R is a child process of, say, Emacs or RStudio, you can’t always count on environment variables being passed to R. Put them in an R-specific start-up file and save yourself some grief.

Bulat
  • 6,869
  • 1
  • 29
  • 52
Technophobe01
  • 8,212
  • 3
  • 32
  • 59
  • you can remove details about s3, it was an example, but is not relevant as a solution. Looking into `.Renviron`, I think it is all I need really. Need to test it with shinyapps. – Bulat Sep 26 '16 at 12:39
  • Happy to help - take care – Technophobe01 Sep 26 '16 at 20:11
  • 5
    This worked for me after creating a copy of my .Renviron file in the root directory of my Shiny application. – Erik Iverson Dec 15 '16 at 00:19
  • 1
    From a security standpoint, is it safe to deploy API keys in `.Renviron` to shinyapps.io? – lauren.marietta May 08 '20 at 17:36
  • 1
    Lauren, I believe so subject to file permissions. Personally, I would'nt trust that answer chuckle. You may want to check with RStudio at security@rstudio.com https://docs.rstudio.com/shinyapps.io/security-and-compliance.html I sent an email to RStudio... – Technophobe01 May 09 '20 at 01:47