search

Qiskit / documentation

The documentation content home for https://docs.quantum.ibm.com.
https://docs.quantum.ibm.com
Apache License 2.0
38 stars 81 forks source link

Add instructions to securely manage token #2322

Open abbycross opened 1 week ago

abbycross commented 1 week ago

Closes #2255

review-notebook-app[bot] commented 1 week ago

Check out this pull request on  ReviewNB

See visual diffs & provide feedback on Jupyter Notebooks.

Powered by ReviewNB

abbycross commented 1 week ago

I've added this content into a twistie in the requested spots. I wonder about potential confusion around the nesting, though - particularly on the functions page, where two similar code blocks appear one after the other when the twistie is opened. An alternative would be to separate this information out into a separate page, and simply point to that page from the three requested spots. Does this merit a separate page or is it working in-context? Thoughts @beckykd @javabster @pandasa123 ?

beckykd commented 6 days ago

confusion around the nesting

I wonder if it would make more sense to move the twistie after the save_account code block.

You could also separate the information into another section so it stands out better.

(Optional) Save your account information

You can optionally use the save_account() method or environment variables...

save account method

environment variables

abbycross commented 6 days ago

confusion around the nesting

I wonder if it would make more sense to move the twistie after the save_account code block.

You could also separate the information into another section so it stands out better.

(Optional) Save your account information

You can optionally use the save_account() method or environment variables...

save account method

environment variables

I like this idea to move save-account info into its own section - I'll mock it up.

qiskit-bot commented 6 days ago

One or more of the following people are relevant to this code:

Eric-Arellano commented 3 days ago

How is this more secure? Any process that can read files can get the environment variable, and the environment variable is still plaintext. Would be nice to add a line explaining why.

Storing secrets in source code is extremely dangerous because source code gets checked into version control like Git. With reading from an environment variable, it is true that any process with access to os.environ can access it - however it's at least not in version control.

frankharkins commented 3 days ago

Storing secrets in source code is extremely dangerous

Yes but that's not the alternative. We're proposing environment variables as an alternative to storing in a config file (~/.qiskit/qiskit-ibm.json). I don't see how it's much different from putting your token in a .envrc.

abbycross commented 3 days ago

@Eric-Arellano @pandasa123 I used tabs to demo the two ways to accomplish this. Do the tab labels make sense? (I used "Within Qiskit Runtime" and "Within Qiskit Functions") https://qiskit.github.io/documentation/pr-2322/guides/setup-channel#securely-manage-your-token

pandasa123 commented 3 days ago

Yes but that's not the alternative. We're proposing environment variables as an alternative to storing in a config file (~/.qiskit/qiskit-ibm.json). I don't see how it's much different from putting your token in a .envrc.

I don't fully disagree, but the number of people who share notebooks with their API token embedded inside is incredibly high. We should be telling them how to better handle their tokens

Do the tab labels make sense?

Yep

abbycross commented 2 days ago

@jyu00 Would it be even more explicit to instead replace (token="<YOUR_IQP_API_TOKEN>") with (token=<your-environment-variable>) and point to the environment variable setup section in the accompanying text, like this?

Screenshot 2024-11-19 at 10 45 17 AM
jyu00 commented 2 days ago

@jyu00 Would it be even more explicit to instead replace (token="<YOUR_IQP_API_TOKEN>") with (token=<your-environment-variable>) and point to the environment variable setup section in the accompanying text, like this?

I don't think it's necessary to have a separate page for setting up the env variation, since it's part of the one-time setup process. So the steps can just be

1-3 same as before

  1. Set the environment variable
  2. Use save_account() to store the account information, with token=<your-env-variable>.

People who don't want to store their credentials locally should skip both steps 4 & 5.

abbycross commented 2 days ago

@jyu00 Would it be even more explicit to instead replace (token="<YOUR_IQP_API_TOKEN>") with (token=<your-environment-variable>) and point to the environment variable setup section in the accompanying text, like this?

I don't think it's necessary to have a separate page for setting up the env variation, since it's part of the one-time setup process. So the steps can just be

1-3 same as before 4. Set the environment variable 5. Use save_account() to store the account information, with token=<your-env-variable>.

People who don't want to store their credentials locally should skip both steps 4 & 5.

Ok! So we weren't setting up a separate page anyway, just a separate section - but I think I'm following that we should just bake the environment variable part into the setup page, and point back to it whenever the code involves authenticating. (lmk if I misunderstood!)

jyu00 commented 2 days ago

Ok! So we weren't setting up a separate page anyway, just a separate section - but I think I'm following that we should just bake the environment variable part into the setup page, and point back to it whenever the code involves authenticating. (lmk if I misunderstood!)

Yes, so people don't need to jump to a separate section just for that. And it'd be easier to mention that the credentials are saved in plain text in both cases.