Managing Encryption Keys or IV when using API Designer

Bryam_Hirsch
Bryam_Hirsch Registered Posts: 2
edited July 16 in Using Dataiku

Hi,

Im building API´s on Dataiku with Python Function as a Endpoint that recieve the parameters encrypted from the request, the code need to decrypt the parameter, perform a series of operations, dataset lookups and the return an encrypted json as a response.

Everything is working fine, however I have the IV and the Encryption Key hard coded (for development propuses).

Whats the best way to avoid hard coding the keys and the IV in the code? Tried the user secrets however im not able to retrieved the key from the the code.

this is my piece of code that works on Python Notebooks

import dataiku

def get_keys(): 
    client = dataiku.api_client()
    auth_info = client.get_auth_info(with_secrets=True)

    secret_value = None
    for secret in auth_info["secrets"]:
            if secret["key"] == "SecrectKey":
                    secret_value = secret["value"]
                    break

    if not secret_value:
            raise Exception("secret not found")

    return secret_value

Tagged:

Answers

  • Turribeach
    Turribeach Dataiku DSS Core Designer, Neuron, Dataiku DSS Adv Designer, Registered, Neuron 2023 Posts: 1,876 Neuron
    edited July 17

    I am not sure if retrieving user secrets will work in the API node. I suspect it won't since the API node has no GUI so not sure how you are going to add the user secrets in the first place. So you may have to divert your Dataiku Client API calls inside your API function to your Automation or Designer node to retrieve your user secrets.

    You don't really say why you are "not able to retrieved the key from the the code". I believe the problem you have is that in a Notebook the code executes as your user ID so it's able to retrieve the secrets from your account secrets. An API can't do that since it runs in a different context. You will need to impersonate the user that has the secrets to be able to retrieve them:

    user = client.get_user("the_user_to_impersonate")
    client_as_user = user.get_client_as()
    
    # All calls done using `client_as_user` will appear as being performed by `the_user_to_impersonate` and will inherit
    # its permissions

  • Turribeach
    Turribeach Dataiku DSS Core Designer, Neuron, Dataiku DSS Adv Designer, Registered, Neuron 2023 Posts: 1,876 Neuron

    But I will be interested to know what happens when you run that in the proper API node (not the embedded one that comes with the Designer node).

  • Bryam_Hirsch
    Bryam_Hirsch Registered Posts: 2

    We found a solution thats suitable for us.

    We created a directory on both servers, Design Node and API Node where Dataiku runs and they will contain the encryption key files.

    From script using OS I can access and read that file.

Setup Info
    Tags
      Help me…