Storing passwords in Jupyter notebooks

Question

Is there a way to store secrets/access secrets/passwords in notebooks? I have an api endpoint where I pull data from, and I dont want to expose the apiKey to everyone who can view the notebook.

Answer 1

You ask about storing in the notebook. Is it to share with someone else? If so, you'd be better off just sending the secret to them over email (encrypted preferred) or calling them up. I think you want to just know how not to expose the secret if it's in your notebook. Your options:

Storing in the notebook :

1. Hard code the password with %env in the notebook - as you say you dont want to do this, this is a BAD habit to develop

Outside the notebook:

2. Use python-dotenv library and put the secret in that file. Issue: make sure you don't commit the .env file to your repo (put it in your .gitignore
3. export as envvar from command line (or source from file like .bashrc or some other config file you create) before you start jupyter. This option isn't obvious how to do if your jupyter is running in an IDE. Also your password will be in plaintext in your .bashrc or somewhere else (unless you export it manually each time). This is usually not a problem and has less risk than accidentally committing .env to your repo (by renaming a .env_tmp as part of development, or not putting it in .gitignore)
4. Interactively ask for a password at runtime with getpass. This is fine, but you also have to copy/paste or type the pass every time you restart the kernel.
5. PREFERRED: An even better option is to use the python keyring your users operating sytem keychain:

   import keyring as kr
   import os
   os.environ['MONGO_PASS'] = kr.get_password('MONGO_PASS', None)
   

   this password will be encrypted on disk, not in plain text, and only vulnerable to malicious applications on the same machine when the computer isn't locked. I think it's more portable than .bashrc I think. (See documentation on how to insert attach key to your keychain.)
6. If you're in a cloud platform (or have 3rd party software) use the secrets manager provided (Like AWS Secret's manager).

Answer 2

Use standart configparser and settings.ini file without additional dependency.

import configparser

config = configparser.ConfigParser()
config.read('settings.ini')

API_KEY = config['DEFAULT']['API_KEY']

Answer 3

The simplest solution I've been using for a while.

Use getpass Portable password input module.

import getpass

password = getpass.getpass('Enter your password')

print('Your password is: ' + password)

Answer 4

Store your credentials in a JSON or YAML, and have your notebook parse the necessary parts.

import json

with open('credentials.json') as f:
    data = json.load(f)
    username = data['username']
    password = data['password']

You should avoid printing the secrets in the cell outputs, for otherwise any technique you choose will be foiled.

Answer 5

cco's answer is good, but if you're looking for a simpler solution, many people use environmental variables to keep secrets segregated from source code.

For example, you can provide them when executing your script in the shell:

$ API_TOKEN=abc123 python script.py

In your source code:

import os
API_TOKEN = os.environ.get("API_TOKEN")

For your Jupyter notebooks, you can use python-dotenv or a similar package to "retrieve" a .env file that contains your project's secrets and is ignored by your version control system.

Once you've created your .env file (either manually, or using the package's command line tool), you can use python-dotenv in Jupyter (or IPython) like so:

%load_ext dotenv
%dotenv
import os
os.environ.get("API_TOKEN")

Answer 6

You can use the keyring package to store sensitive information in a system-specific protected store.
It can be installed via pip from pypi.