7

I'm deploying an app to shinyapps.io using data I'm grabbing from S3 and I want to make sure my AWS keys are safe. Currently within the app.R code I'm setting environment variables and then querying S3 to get the data.

Is there a way to create a file that obscures the keys and deploy it to shinyApss along with my app.R file

Sys.setenv("AWS_ACCESS_KEY_ID" = "XXXXXXXX",
           "AWS_SECRET_ACCESS_KEY" = "XXXXXXXXX",
           "AWS_DEFAULT_REGION" = "us-east-2")


inventory =aws.s3::s3read_using(read.csv, object = "s3://bucket/file.csv")

I'll also add that I'm on the free plan so user authentication is not available otherwise I wouldn't fuss about my keys being visible.

ben890
  • 1,097
  • 5
  • 25
  • 56
  • 1
    perhaps this helps : https://cran.r-project.org/web/packages/AWR.KMS/README.html – Waldi Feb 18 '21 at 22:03
  • 2
    and also : [managing secrets](https://cran.r-project.org/web/packages/httr/vignettes/secrets.html) – Waldi Feb 19 '21 at 08:15
  • 2
    I got a similiar question a few months ago: https://stackoverflow.com/questions/62472085/are-shiny-servers-shinyapps-files-safe-from-intruders Turns out yor keys can be safe if they are stored in any of your project's sub-folders (except for the "www" one). – David Jorquera Feb 22 '21 at 13:32
  • In what OS are you working? Linux, Mac or Win? – Manu Feb 25 '21 at 15:18

2 Answers2

4

I recommend the following solution and the reasons behind it:

Firstly, create a file named .Renviron (just create it with a text editor like the one on RStudio). Since that file has a dot before the name, the file will be hidden (in Mac/Linux for example). Type the following:

AWS_ACCESS_KEY_ID = "your_access_key_id"
AWS_SECRET_ACCESS_KEY = "you_secret_access_key"
AWS_DEFAULT_REGION = "us-east-2"

Secondly, if you are using .git it is advisable to add the following text in your gitignore file (so to avoid to share that file for version control):

# R Environment Variables
.Renviron

Finally you can retrieve the values stored in .Renviron to connect to your databases, S3 buckets and so on:

library(aws.s3)
bucketlist(key = Sys.getenv("AWS_ACCESS_KEY_ID"), 
secret = Sys.getenv("AWS_SECRET_ACCESS_KEY"))

In that way your keys will be "obscured" and will be retrieved by the function Sys.getenv from .Renviron so you can protect your code.

Manu
  • 1,070
  • 10
  • 27
3

Perhaps this solution is too basic, but you can simply create a .txt file, with the keys in it one per line. Than you can use scan() to read that file.

Something like:

   Sys.setenv("AWS_ACCESS_KEY_ID" = scan("file.txt",what="character")[1],
           "AWS_SECRET_ACCESS_KEY" = scan("file.txt",what="character")[2],
           "AWS_DEFAULT_REGION" = "us-east-2")

It is similar to the first solution in the "managing secrets" link in the comments, except that we use a simple text format instead of JSON.

JMenezes
  • 1,004
  • 1
  • 6
  • 13