We have multiple scenarios where a python script running as a scheduled task needs to publish some analysis results to ArcGIS Online and overwrite a hosted feature layer with new data.
In the arcpy API reference, several examples of how to connect to ArcGIS Online within a python script are given.
# Usage Example 2: Built-in Login to ArcGIS Online
gis = GIS(username="someuser", password="secret1234")
# Usage Example 3: Built-in Login to ArcGIS Enterprise
gis = GIS(url="http://pythonplayground.esri.com/portal",
username="user1", password="password1")
# Usage Example 4: Built-in Login to ArcGIS Enterprise, ignoring SSL errors
gis = GIS(url="http://pythonplayground.esri.com/portal", username="user1",
password="password1", verify_cert=False)
# Usage Example 6: PKI Login to ArcGIS Enterprise, using PKCS12 user certificate
gis = GIS(url="https://pkienterprise.esri.com/portal",
cert_file="C:\users\someuser\mycert.pfx", password="password1")
All of these examples seem to be encouraging the developer to store user credentials in plain text. Doing this in any environment (dev, prod or otherwise) should violate any organization's information security policies.
It was suggested to me that the credential strings be encrypted/decrypted. This would be better than storing as plain text, but we are talking about a python script. An unencrypted password still has to be stored somewhere, and any capable developer could pull the script into their IDE of choice and inspect the password variable right after decryption and before making the api call.
Is there another option in arcpy that allows me to pass a token that's generated from client_id and shared secret instead of user credentials? Is there a different module that is actually secure that I've missed?
