Storing API keys securely

Dear Dataiku Team,
Thank you for all your good work with Dataiku environment - we are looking forward to using new functionality with Dataiku 7!
We are now experimenting with builidng API connections in between nodes - I was able to establish the connection using the code from here:
import dataikuapi host = "http://localhost:11200" apiKey = "<MY_SECRET_KEY>" client = dataikuapi.DSSClient(host, apiKey) # client is now a DSSClient and can perform all authorized actions. client.list_project_keys()
How would you approach the topic of security here: secret key is not very sercret if it is hard coded. Does Dataiku offers some safe way of storing it in the environment?
Thank you,
Filip
Best Answer
-
Hi,
We'd recommend using user secrets: https://doc.dataiku.com/dss/latest/security/user-secrets.html
User secrets are stored encrypted on disk.
Please note however that user secrets are per-user, so each user who wants to use this code needs to enter a key as a user secret (with the same secret name).
Answers
-
Hi Clément,
Thank you very much for a quick answer - it worked out very well and now we can store the keys safely.
Have a good day,
Filip -
Hi,
I agree with the point that we can store secret keys in user-profile credentials as per https://doc.dataiku.com/dss/latest/security/user-secrets.html.
But this will only work after creating connection with dataiku via DSSClient and to create that connection we eventually require to pass the host and secret-key while making connection.
Ref:
import dataiku
client = dataiku.DSSClient(host, key)
How we can prevent hardcoding the above "key" in the code to make connection?
Thanks
Tanay -
Hey, I'm facing the same problem as @Tanay above, any solution to this?
-
Grixis PartnerApplicant, Dataiku DSS Core Designer, Dataiku DSS ML Practitioner, Dataiku DSS Adv Designer, Registered Posts: 102 ✭✭✭✭✭✭
Hey,
I hadn't really understood how to manage our secret keys through a user's credentials.
Personally, I use dataiku's utilities method;utils.get_admin_dss_client() which automatically and temporarily creates a privileged API key and obtains a privileged API client.
You have an example here through this page;
Example: Create project with a default code env
Then, depending on the instance, I get the “secret manager” user settings and take its credentials as variable, whose code snippets I can use to variabilize the secrets I want to retrieve and set in my plugins, macros, scenarios etc.
So, I dont explicitly hardcode those key in the code but, as admin client, get my user's credential to use them.
by the way, I had asked the support where they were with to impelment a possible KMS in their solution, and they told me that it was in their backlog ! :)
-
Turribeach Dataiku DSS Core Designer, Neuron, Dataiku DSS Adv Designer, Registered, Neuron 2023 Posts: 2,323 Neuron
First of all please keep in mind this is a 2020 thread that has been marked as answered so ideally people should be starting a new thread making a reference to this one. I really don't see why you can't use user secrets to store keys to connect to other nodes. If you are inside say dss-node1 then you are already have access to the user secrets of the user identity that's running your code / scenario so you could store all the API keys for the other nodes there.
Finally the need for a "shared secrets store" has been requested in this Product Idea, please vote for it:
PS: If you need to follow up please start a new thread.