Re: Python script on SAS 9.4 M7

freshstarter

Hello,

My question may be very basic..It can be a straight forward answer like 'Yes' (or) 'no' 🙂

Clients secrets are stored in Azure Key vault and I need to use those details to connect to snowflake using Oauth authentication. As we dont have SAS Viya yet, I'm written SAS code using proc http and then I able to use the Oauth functionaility. I have hardcoded the client secrets currently for time being. As per the suggestion, I have created the secure macro for storing the credentails https://go.documentation.sas.com/doc/en/pgmsascdc/9.4_3.5/mcrolref/n0sjezyl65z1cpn1b6mqfo8115h2.htm

But as per this documentation https://communities.sas.com/t5/SAS-Explore-Presentations/Guarding-Secrets-in-SAS-Programs-With-Azure... , secrets can be retrieved using python code if we are in SAS Viya.

As we are in SAS 9.4M7 on RHEL servers, why cant we take this approach of getting the secrets from Azure vault ? Please let me know if it is not possible

1. Install python on RHEL

2. Install these two packages

pip install azure-identity
pip install azure-keyvault-secrets

3.Create a python file as mentioned in this documentation https://communities.sas.com/t5/SAS-Explore-Presentations/Guarding-Secrets-in-SAS-Programs-With-Azure... and store it on the Linux server as test.py

4. Then from SAS program , call the python script

filename cmd pipe "python test.py";

data work.secret;

infile cmd;

input;

put _infile_;

run;

5. Get the client secret from the work.secret data set and assign it to macro variable and then pass it to the connection string to snowflake.

I dont know much about Python and seriously the above approach may be not achievable at all . Please let me know your thoughts.

Thanks

SASKiwi

Getting an official response from SAS Tech Support by opening a support track is the best option here for such a specialist topic.

Tom

Should work if you have ability to run shell commands turned on in your SAS session so that the PIPE will work.

But how it is any better or easier than what you already created with PROC HTTP?

gwootton

If your program "test.py" when run outputs the desired secret in plain text to stdout, then your solution to run it from a pipe and retrieve the output seems valid to me.

The code in the linked SAS Explore presentation does not do that, it defines a function that is then called using PROC PYTHON to pull the secret object returned by the python function into a macro variable, so the python code would need to be modified to instead print the secret to stdout.

--
Greg Wootton | Principal Systems Technical Support Engineer

Patrick

By looking at the presentation you shared for the approach under Viya I believe this could work very similarly under SAS9.4.

You obviously don't have Proc Python under SAS9.4 but you can still run a Python script out of SAS (as a child process, for example using the system() function).

In the presentation the secret retrieved by the Python script gets then stored in a macro variable used in the SAS code as value for the libname password parameter.

As far as I understand it for an implementation under SAS9.4 the only changes required would be how you call the Python script out of SAS and how you pass back the secret from Python to the parent SAS process. All the rest should work the same.

So like in your step for a call of a Python script that returns the secret.

filename cmd pipe "python test.py";
data _null_;
  infile cmd;
  input;
  call symputx('KVSecret',_infile_);
run;

freshstarter

Thank you for all your suggestio. I ll give a try and keep you informed .