Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request: Docs on providing environmental variables to shiny-server #557

Open
nick-youngblut opened this issue Sep 28, 2023 · 3 comments
Open

Request: Docs on providing environmental variables to shiny-server #557

nick-youngblut opened this issue Sep 28, 2023 · 3 comments

Comments

@nick-youngblut
Copy link

nick-youngblut commented Sep 28, 2023
edited
Loading

I'm trying to run shiny-server within a docker container. For example:

docker run -it --rm -u shiny \
  -p 5000:5000 \
  --env-file ~/.Renviron \
  ${IMG_NAME}:${IMG_VERSION}

However, it appears that shiny-server wipes most environmental variables, according to this old thread. The thread pointed to a discussion in which the solution was to write the environmental variables (potentially sensitive secrets) in a file in the docker container, which I thought was a big security risk.

For the sake of security when developers deploy shiny apps with shiny-server, it would be great to have specific docs on how to deal with environmental variables and secrets handling. At least, I cannot find an such info in the docs.
@sambrilleman
Copy link

Any progress on this? Anyone have any updates on solutions or workarounds? We are suffering the same issue. Thanks!

@ekholme
Copy link

ekholme commented Aug 8, 2024

I deploy our shiny apps via Google Cloud & Cloud Run, and my workaround for this has been to:

  • Store secrets in Secret Manager
  • Build the shiny app using Docker & Cloud Build
  • Mount the secret as a volume in the Cloud Run service rather than expose it as an environment variable
  • Read the mounted secret into my app and use it

So, if I have a secret MY_SECRET, I might mount it to secret/MY_SECRET, and I use R's readLines("/secret/MY_SECRET") to access it from my shiny app.

I also use the {config} R package to facilitate switching between dev and prod environments. I specify the R_CONFIG_ACTIVE variable in a .Renviron file that I copy into the Docker container.

I imagine AWS and Azure can do the same thing, but I'm not familiar with the names of their services.

@capncodewash
Copy link

The following lines, if included in a Dockerfile, will rewrite the /opt/shiny-server/node_modules/sockjs/lib/transport.js file to forward headers of your choice to the environment. You would need to customise the list below. I have included an example header of X-MYHEADER1 and X-MYHEADER2, as well as cookie and user_email.

# Patch the shiny server to allow HTTP custom headers: (only those specifically listed)
RUN sed -i 's/createWebSocketClient(pathInfo)/createWebSocketClient(pathInfo, conn.headers)/' /opt/shiny-server/lib/proxy/sockjs.js
RUN sed -i "s/'referer'/'referer', 'cookie', 'user_email', 'x-myheader1', `x-myheader2'/" /opt/shiny-server/node_modules/sockjs/lib/transport.js

I can only imagine that the fact that Shiny server does not do this is a commercial decision by Posit.

Credit to this blog post, where I (think) I got the outline of the solution.

Tested as of version 1.5.23.1020.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@capncodewash @nick-youngblut @sambrilleman @ekholme