Keeping API Keys Private in Blogdown

sheilasaia · December 21, 2018, 8:50pm

I'm in the process of writing a blog post that queries an API without an associated R package. Because there's no associated R package, I'm using the httr GET function which requires my API key to be in the string format. My question is, how do I keep my API key private so it doesn't show up in my website's public GitHub repository?

I'm familiar with caching API keys using options( ) as in options(tigris_use_cache = TRUE) for the tidycensus package but not sure how/whether to implement this in rmarkdown/blogdown for the API I linked to above. I haven't been able to find much help from Googling so any insight/tips would be greatly appreciated.

mishabalyasin · December 21, 2018, 9:24pm

There is secret package that I rather like. I've written a blog with (you guessed it) blogdown about it - https://www.mishabalyasin.com/2017/11/05/overview-secret-spelling/

jdlong · December 21, 2018, 9:49pm

The secret package is good, but I also have been known to make gratuitous use of passwords in environment variables. I pop them in my .Rprofile like this:

   Sys.setenv( MY_UID='your_UID')
   Sys.setenv( MY_PWD='your_password')

then in R I can call Sys.getenv("MY_UID") anywhere I need my UID, for example.

sheilasaia · December 23, 2018, 1:09am

Thank you @mishabalyasin and @jdlong for your help! I'll try these suggestions.

rensa · December 23, 2018, 5:32am

I'd also recommend the keyring package, which is used by RStudio 1.2. It's cross-platform and works out of the box with Keychain on macOS and Credential Store on Windows. With an external dependency (libsecret), it also works with Secret Service on Linux. Here's a guide to it from RStudio, but I believe you can also use it independently

sheilasaia · December 24, 2018, 2:00pm

Thanks, @rensa! I'll check that package out too.

andresrcs · December 24, 2018, 2:50pm

Is there a guide on using keyring on a headless server? I can't mange to make it work with libsecret in Ubuntu 16 Server (AWS instance)

rensa · December 24, 2018, 11:50pm

I haven't actually tried it, unfortunately! I'll see what I can find in a few days

btupper · December 27, 2018, 4:21pm

I like the simplicity of using a user-hidden config file that your R application accesses. I originally borrowed the idea from a python module genlogics. In my case I was using the same API wrapper for 4 different servers - so I had a configuration file for each one...

~/server-1.config
~/server-2.config

etc. The config and configr make reading/writing config files super easy.

sheilasaia · December 28, 2018, 3:04pm

Thanks for this idea, @btupper!

system · January 18, 2019, 3:04pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.