arcpy connect to Portal without passing user credentials in plain text

804
3
02-17-2021 06:33 AM
GeoSolver
New Contributor III

We have multiple scenarios where a python script running as a scheduled task needs to publish some analysis results to ArcGIS Online and overwrite a hosted feature layer with new data.

In the arcpy API reference, several examples of how to connect to ArcGIS Online within a python script are given.

 

# Usage Example 2: Built-in Login to ArcGIS Online
gis = GIS(username="someuser", password="secret1234")

# Usage Example 3: Built-in Login to ArcGIS Enterprise
gis = GIS(url="http://pythonplayground.esri.com/portal",
      username="user1", password="password1")

# Usage Example 4: Built-in Login to ArcGIS Enterprise, ignoring SSL errors
gis = GIS(url="http://pythonplayground.esri.com/portal", username="user1",
          password="password1", verify_cert=False)

# Usage Example 6: PKI Login to ArcGIS Enterprise, using PKCS12 user certificate
gis = GIS(url="https://pkienterprise.esri.com/portal",
          cert_file="C:\users\someuser\mycert.pfx", password="password1")

 

 

All of these examples seem to be encouraging the developer to store user credentials in plain text.  Doing this in any environment (dev, prod or otherwise) should violate any organization's information security policies.

It was suggested to me that the credential strings be encrypted/decrypted.  This would be better than storing as plain text, but we are talking about a python script.  An unencrypted password still has to be stored somewhere, and any capable developer could pull the script into their IDE of choice and inspect the password variable right after decryption and before making the api call.  

Is there another option in arcpy that allows me to pass a token that's generated from client_id and shared secret instead of user credentials?  Is there a different module that is actually secure that I've missed?

0 Kudos
3 Replies
JoshuaBixby
MVP Esteemed Contributor
0 Kudos
GeoSolver
New Contributor III

The keyring approach sounded promising, but amazingly, the keyring.get_password method still returns the password as a string.  It's good that I can call the password out of the Windows vault using this method, but again, it gets stored as a string and can be inspected, printed, whatever.

 

0 Kudos
MehdiPira1
Esri Contributor

Hi @GeoSolver ,

Try this one:

gis = GIS("Pro")

 

0 Kudos