Hello,
My question may be very basic..It can be a straight forward answer like 'Yes' (or) 'no' 🙂
Clients secrets are stored in Azure Key vault and I need to use those details to connect to snowflake using Oauth authentication. As we dont have SAS Viya yet, I'm written SAS code using proc http and then I able to use the Oauth functionaility. I have hardcoded the client secrets currently for time being. As per the suggestion, I have created the secure macro for storing the credentails https://go.documentation.sas.com/doc/en/pgmsascdc/9.4_3.5/mcrolref/n0sjezyl65z1cpn1b6mqfo8115h2.htm
But as per this documentation https://communities.sas.com/t5/SAS-Explore-Presentations/Guarding-Secrets-in-SAS-Programs-With-Azure... , secrets can be retrieved using python code if we are in SAS Viya.
As we are in SAS 9.4M7 on RHEL servers, why cant we take this approach of getting the secrets from Azure vault ? Please let me know if it is not possible
1. Install python on RHEL
2. Install these two packages
pip install azure-identity
pip install azure-keyvault-secrets
3.Create a python file as mentioned in this documentation https://communities.sas.com/t5/SAS-Explore-Presentations/Guarding-Secrets-in-SAS-Programs-With-Azure... and store it on the Linux server as test.py
4. Then from SAS program , call the python script
filename cmd pipe "python test.py";
data work.secret;
infile cmd;
input;
put _infile_;
run;
5. Get the client secret from the work.secret data set and assign it to macro variable and then pass it to the connection string to snowflake.
I dont know much about Python and seriously the above approach may be not achievable at all . Please let me know your thoughts.
Thanks
Getting an official response from SAS Tech Support by opening a support track is the best option here for such a specialist topic.
Should work if you have ability to run shell commands turned on in your SAS session so that the PIPE will work.
But how it is any better or easier than what you already created with PROC HTTP?
By looking at the presentation you shared for the approach under Viya I believe this could work very similarly under SAS9.4.
You obviously don't have Proc Python under SAS9.4 but you can still run a Python script out of SAS (as a child process, for example using the system() function).
In the presentation the secret retrieved by the Python script gets then stored in a macro variable used in the SAS code as value for the libname password parameter.
As far as I understand it for an implementation under SAS9.4 the only changes required would be how you call the Python script out of SAS and how you pass back the secret from Python to the parent SAS process. All the rest should work the same.
So like in your step for a call of a Python script that returns the secret.
filename cmd pipe "python test.py";
data _null_;
infile cmd;
input;
call symputx('KVSecret',_infile_);
run;
The SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment.
SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.
Find more tutorials on the SAS Users YouTube channel.