Survey banner
The Dataiku Community is moving to a new home! New posts are now disabled and the community will shortly be in temporary read only mode: LEARN MORE

Managing Encryption Keys or IV when using API Designer

Level 1
Managing Encryption Keys or IV when using API Designer


Im building API´s on Dataiku with Python Function as a Endpoint that recieve the parameters encrypted from the request, the code need to decrypt the parameter, perform a series of operations, dataset lookups and the return an encrypted json as a response. 

Everything is working fine, however I have the IV and the Encryption Key hard coded (for development propuses). 

Whats the best way to avoid hard coding the keys and the IV in the code? Tried the user secrets however im not able to retrieved the key from the the code. 


this is my piece of code that works on Python Notebooks 

import dataiku

def get_keys(): 
    client = dataiku.api_client()
    auth_info = client.get_auth_info(with_secrets=True)

    secret_value = None
    for secret in auth_info["secrets"]:
            if secret["key"] == "SecrectKey":
                    secret_value = secret["value"]

    if not secret_value:
            raise Exception("secret not found")

    return secret_value


0 Kudos
3 Replies

I am not sure if retrieving user secrets will work in the API node. I suspect it won't since the API node has no GUI so not sure how you are going to add the user secrets in the first place. So you may have to divert your Dataiku Client API calls inside your API function to your Automation or Designer node to retrieve your user secrets.

You don't really say why you are "not able to retrieved the key from the the code". I believe the problem you have is that in a Notebook the code executes as your user ID so it's able to retrieve the secrets from your account secrets. An API can't do that since it runs in a different context. You will need to impersonate the user that has the secrets to be able to retrieve them:


user = client.get_user("the_user_to_impersonate")
client_as_user = user.get_client_as()

# All calls done using `client_as_user` will appear as being performed by `the_user_to_impersonate` and will inherit
# its permissions



0 Kudos

But I will be interested to know what happens when you run that in the proper API node (not the embedded one that comes with the Designer node).

0 Kudos
Level 1

We found a solution thats suitable for us. 

We created a directory on both servers, Design Node and API Node where Dataiku runs and they will contain the encryption key files. 

From script using OS I can access and read that file. 


0 Kudos