Storing secure API credentials in a golem app?

[rpodcast]

As I continue to convert more of my apps to {golem}, I found one area that I'm not quite sure how to handle. Some of my apps deployed on an internal Shiny Server Pro had to connect to some kind of service (say API or database) and my solution was to create a .Renviron in the app's root directory with the credentials, and ensure that the file was not tracked by Git, yet it would be included in the app deployment. If I convert one of these apps to {golem}, is it recommended to take a similar approach? Or should I try using a custom option instead?

[cderv]

I just chime in to share my practice on this one, even if it is not golem specific, but golem compatible for sure. That way, I'll see if I am the only one doing this.

I often usethis config 📦 to store configuration. I like very much the fact that I can have one file to store every configuration for different environment, and it will activate automatically depending on where my app run.

When I have credential, I use one of the two soltuions

• have two configuration files: on public conf, I follow on git and one private conf I do not follow on git
• Follow everything in one file, but store secrets in an environment variable I load in the config file using !expr Sys.getenv(...). Environment variable must be configured at deployment.

Most often I use the second way as I deloy in RStudio Connect, or using Docker and env variable can be configure in both case. And having all the configuration required for my app in one file is something I find a best practice.

Interested in your thought on this way of doing - it is always a good thing to be challenged on its practice 😃

[chintanp]

Is there a suggested solution for this yet?

Has anyone tried using the golem-config.yml file on shinyapps.io?

[cderv]

config 📦 can by used with shinyapps.io where R_CONFIG_ACTIVE env var is already set to shinyapps (see docs).
As show in the vignette about config, golem should respect this env var. So if you want to set some configurations only for shinyapps, you can create a shinyapps: part in the yaml file and it will be read when deployed. Special get_golem_config() should respect the environment variable set and load the correct config.

If you want to store secret in another yaml file not followed by git in addition to golem-config.yml, config 📦 allows that by loading another config file, from a config file (see example.

Hope it helps.