Managing Encryption Keys or IV when using API Designer
Hi,
Im building API´s on Dataiku with Python Function as a Endpoint that recieve the parameters encrypted from the request, the code need to decrypt the parameter, perform a series of operations, dataset lookups and the return an encrypted json as a response.
Everything is working fine, however I have the IV and the Encryption Key hard coded (for development propuses).
Whats the best way to avoid hard coding the keys and the IV in the code? Tried the user secrets however im not able to retrieved the key from the the code.
this is my piece of code that works on Python Notebooks
import dataiku def get_keys(): client = dataiku.api_client() auth_info = client.get_auth_info(with_secrets=True) secret_value = None for secret in auth_info["secrets"]: if secret["key"] == "SecrectKey": secret_value = secret["value"] break if not secret_value: raise Exception("secret not found") return secret_value
Answers
-
Turribeach Dataiku DSS Core Designer, Neuron, Dataiku DSS Adv Designer, Registered, Neuron 2023 Posts: 1,993 Neuron
I am not sure if retrieving user secrets will work in the API node. I suspect it won't since the API node has no GUI so not sure how you are going to add the user secrets in the first place. So you may have to divert your Dataiku Client API calls inside your API function to your Automation or Designer node to retrieve your user secrets.
You don't really say why you are "not able to retrieved the key from the the code". I believe the problem you have is that in a Notebook the code executes as your user ID so it's able to retrieve the secrets from your account secrets. An API can't do that since it runs in a different context. You will need to impersonate the user that has the secrets to be able to retrieve them:user = client.get_user("the_user_to_impersonate") client_as_user = user.get_client_as() # All calls done using `client_as_user` will appear as being performed by `the_user_to_impersonate` and will inherit # its permissions
-
Turribeach Dataiku DSS Core Designer, Neuron, Dataiku DSS Adv Designer, Registered, Neuron 2023 Posts: 1,993 Neuron
But I will be interested to know what happens when you run that in the proper API node (not the embedded one that comes with the Designer node).
-
We found a solution thats suitable for us.
We created a directory on both servers, Design Node and API Node where Dataiku runs and they will contain the encryption key files.From script using OS I can access and read that file.