Request: Docs on providing environmental variables to shiny-server
Opened this issue · 2 comments
I'm trying to run shiny-server within a docker container. For example:
docker run -it --rm -u shiny \
-p 5000:5000 \
--env-file ~/.Renviron \
${IMG_NAME}:${IMG_VERSION}
However, it appears that shiny-server wipes most environmental variables, according to this old thread. The thread pointed to a discussion in which the solution was to write the environmental variables (potentially sensitive secrets) in a file in the docker container, which I thought was a big security risk.
For the sake of security when developers deploy shiny apps with shiny-server, it would be great to have specific docs on how to deal with environmental variables and secrets handling. At least, I cannot find an such info in the docs.
Any progress on this? Anyone have any updates on solutions or workarounds? We are suffering the same issue. Thanks!
I deploy our shiny apps via Google Cloud & Cloud Run, and my workaround for this has been to:
- Store secrets in Secret Manager
- Build the shiny app using Docker & Cloud Build
- Mount the secret as a volume in the Cloud Run service rather than expose it as an environment variable
- Read the mounted secret into my app and use it
So, if I have a secret MY_SECRET
, I might mount it to secret/MY_SECRET
, and I use R's readLines("/secret/MY_SECRET")
to access it from my shiny app.
I also use the {config}
R package to facilitate switching between dev and prod environments. I specify the R_CONFIG_ACTIVE
variable in a .Renviron
file that I copy into the Docker container.
I imagine AWS and Azure can do the same thing, but I'm not familiar with the names of their services.