topic Re: Store secrets - SAS 9.4M4 in Administration and Deployment

Store secrets - SAS 9.4M4

freshstarter — Tue, 22 Oct 2024 20:32:53 GMT

Hello,

We are in SAS 9.4M7 and recently we have written SAS code proc http post method to generate and extract oauth token from Microsoft Azure. As this is the test environment, we have hardcoded the client id and client secrets in the SAS code to retrive the token. But we cant take this approach in Production as these details should be masked (or) invisible where end users should not see.

Thought of using Azure key vault to store these secrets, but we cant use proc python in SAS 9.4 as proc python is available only in SAS Viya. We dont want to store these secrets in a file that resides on the server.

Are there are any ways where we can store these secrets securely and retrive that in SAS code efficiently ? Please let me know. Thanks

Re: Store secrets - SAS 9.4M4

SASKiwi — Tue, 22 Oct 2024 20:39:31 GMT

Can you post your test code example so we can get a better idea of what you are doing?

Re: Store secrets - SAS 9.4M4

gwootton — Tue, 22 Oct 2024 20:56:43 GMT

Could you build the PROC HTTP call with the hardcoded client ID and secret into a compiled macro? The users could run the macro to get the token but not be able to see the source code that contains the secret.

https://go.documentation.sas.com/doc/en/pgmsascdc/9.4_3.5/mcrolref/n0sjezyl65z1cpn1b6mqfo8115h2.htm

Re: Store secrets - SAS 9.4M4

freshstarter — Tue, 22 Oct 2024 21:06:39 GMT

Below is my code where the client_id and secrets are hardcoded now.

filename resp temp;

proc http

url="https://login.microsoftonline.com/<Tenant-id>/oauth2/v2.0/token"

in='grant_type=client_credentails&client_id=1234567-abc&client_secret=123dbc-oG&scope=api://erderf/.default'

ct="application/x-www-form-urlencoded"

out=resp

method='POST';

run;

libname auth json fileref=resp;

data _null_;

set auth.root;

call.symputx('token',access_token);

run;

%put &token;

Re: Store secrets - SAS 9.4M4

carl_sommer — Tue, 22 Oct 2024 22:34:33 GMT

To amend what Greg suggested, you'll want to use both the STORE and the SECURE options.
STORE provides macro compilation; SECURE provides encryption (so nosy people turning on MPRINT, etc get nada, zip, zilch)

See Example 5: Using the %MACRO Statement with the STORE and SECURE Options

Carl Sommer - SAS Technical Support

Re: Store secrets - SAS 9.4M4

freshstarter — Wed, 23 Oct 2024 10:31:31 GMT

Thank you for the suggestion