Page MenuHomePhabricator

How to manage secret keys in PAWS?
Open, LowestPublic

Description

Imagine that I would like to call an external API that requires a secret key for the API. Where should I put this secret?

Since files in PAWS are publicly accessible, therefore, putting the secrets in files is a bad practice.

On sites that allows its users to run scripts, e.g. CI, there are usually a page that manage these secrets; and they are not stored in files.

Event Timeline

Chicocvenancio triaged this task as Lowest priority.Jun 19 2019, 4:23 PM
Chicocvenancio added a subscriber: Chicocvenancio.

In short, currently, don't.

If you must, and accept that several users will have access to the secret, you can change the file permissions to be only readable by the user, that will make it return a 403 on the paws-public endpoint, but is by no means secret or secure.

On sites that allows its users to run scripts, e.g. CI, there are usually a page that manage these secrets; and they are not stored in files.

That would be ideal, store this in the database or directly in Kubernetes and have a frontend for users to manage it. That requires a Jupyter server extension and I am not aware of one that would fulfill this requirement. We could develop it if enough interest and volunteer time is available.

Thanks for the explanation. I'll keep that in mind.

Regarding the page that manage secrets, I found this project called JupyterLab Credential Store. Could we evaluate it? Thanks