Request: Docs on providing environmental variables to shiny-server

[nick-youngblut]

I'm trying to run shiny-server within a docker container. For example:

docker run -it --rm -u shiny \
  -p 5000:5000 \
  --env-file ~/.Renviron \
  ${IMG_NAME}:${IMG_VERSION}

However, it appears that shiny-server wipes most environmental variables, according to this old thread. The thread pointed to a discussion in which the solution was to write the environmental variables (potentially sensitive secrets) in a file in the docker container, which I thought was a big security risk.

For the sake of security when developers deploy shiny apps with shiny-server, it would be great to have specific docs on how to deal with environmental variables and secrets handling. At least, I cannot find an such info in the docs.

[sambrilleman]

Any progress on this? Anyone have any updates on solutions or workarounds? We are suffering the same issue. Thanks!

[ekholme]

I deploy our shiny apps via Google Cloud & Cloud Run, and my workaround for this has been to:

• Store secrets in Secret Manager
• Build the shiny app using Docker & Cloud Build
• Mount the secret as a volume in the Cloud Run service rather than expose it as an environment variable
• Read the mounted secret into my app and use it

So, if I have a secret MY_SECRET, I might mount it to secret/MY_SECRET, and I use R's readLines("/secret/MY_SECRET") to access it from my shiny app.

I also use the {config} R package to facilitate switching between dev and prod environments. I specify the R_CONFIG_ACTIVE variable in a .Renviron file that I copy into the Docker container.

I imagine AWS and Azure can do the same thing, but I'm not familiar with the names of their services.