Community

Connect to the GIS in Python scripts without embedded passwords or login prompts

5195
0
10-13-2020 09:50 AM
by Anonymous User
Not applicable
9 0 5,195
‎10-13-2020 09:50 AM

Scripts that use the ArcGIS API for Python to accomplish any automated task within ArcGIS Online usually need to connect to the ArcGIS Online organization first. The easiest way to do this is to hardcode your password into the script. Any of us who have worked with the ArcGIS API for Python are familiar with these ubiquitous lines:

from arcgis.gis import GIS
gis = GIS("https://arcgis.com", "Username", "Password")‍‍‍‍

However, the reality is that hardcoding passwords into scripts is a security risk for a number of reasons. One of the most common risks is the propensity to mistakenly share a script to a public repository or with colleagues that still contains your embedded password. Thankfully, there are multiple approaches for authenticating to the GIS that remove the password from the script and do not require any sort of login prompt (meaning they can run automatically without human interaction to type a password). 

Option 1: Store your credentials to a profile

This is recommended in the API guide. The profile parameter uses the keyring library to store your username in an unencrypted config file and securely store your password in the operating system's password manager. Once you set the profile, you can log in using just the profile name, referencing the credentials stored in the config file and password manager associated with that specific profile. The sample below shows how to get started:

### Set up a profile
from arcgis.gis import GIS
gis_profile = GIS("https://arcgis.com", "my_username", "my_password", profile="Esri Support Admin")
print("Profile defined for {}".format(gis_profile))‍‍‍‍‍‍‍‍‍‍‍‍
Profile defined for GIS @ https://<myOrg>.maps.arcgis.com version:8.3

Now that we've established the profile, we can connect to the GIS using only the profile parameter:

### Log in with a profile
from arcgis.gis import GIS
gis = GIS("https://arcgis.com", profile="Esri Support Admin")
print("Connected to the GIS as {}.".format(gis.properties.user.username))‍‍‍‍‍‍‍‍
Connected to the GIS as my_username.

Option 2: Directly access keyring to store your password

Keyring is installed in the ArcGIS Pro default Python environment and can be used to securely store a password in the operating system's password manager. 

The concept is similar to setting a profile and accessing it later. The first step is to set the password, and optionally verify that the password has been stored as you expect. ArcGISOnline is set as the argument for the system parameter, used to keep track of which passwords go with which usernames. 

### Set password and optionally verify storage
import keyring
keyring.set_password("ArcGISOnline", "my_username", "my_password")
#Optionally verify password storage
pw = keyring.get_password("ArcGISOnline", "my_username")
print(pw)‍‍‍‍‍‍‍‍‍‍‍‍
my_password

With the password set, you can use the get_password() method to retrieve the needed password from the operating system's password manager to sign into the GIS. Since we set ArcGISOnline as the system in the code above, we'll need to use it to retrieve the correct password:

### Access the stored password with keyring and sign into the GIS
from arcgis.gis import GIS
import keyring
pw = keyring.get_password("ArcGISOnline", "my_username")
gis = GIS("https://arcgis.com", "my_username", pw)
print("Connected to the GIS")‍‍‍‍‍‍‍‍‍‍‍‍
Connected to the GIS

Option 3: Use the active ArcGIS Pro connection

Connecting to the GIS using the active ArcGIS Pro connection is also covered in the API Guide. No credentials are required; you just need to make sure ArcGIS Pro is on your machine and you are connected to the intended ArcGIS Online organization. The really advantageous part about using the Pro connection is that it works with SAML logins; so if you need to automate a script that requires authentication and don't have/do not want to use built-in users, this method is the way to go. To leverage the Pro connection without ArcGIS Pro concurrently running, you'll need to select "Sign me in automatically" when connecting to organization in ArcGIS Pro or take your license offline.

### Use the active Pro connection
### This example uses a SAML login
from arcgis import GIS
gis = GIS("Pro")
print(gis)‍‍‍‍
GIS @ https://<myOrg>.maps.arcgis.com/ version:8.3

--------------------

I hope you found these tips helpful for securely automating authentication using the ArcGIS API for Python! Thanks for reading, and please let me know any feedback in the comments below.