Hiding injected parameters when using Python + Jupyter

[multimeric]

Description

Consider the following Quarto document which depends on the use of a username and password. We don't want to hardcode our authentication details into the notebook for security reasons, so we have added them as parameters. We have also added echo: false to the parameters block with the intention of hiding the username and password.

```{python}
#| tags: [parameters]
#| echo: false
username = None
password = None
```

```{python}
import requests
from requests.auth import HTTPBasicAuth

requests.get("https://example.com", auth=HTTPBasicAuth(username, password))
```

However, when we render this notebook, it appears as follows:

The parameter definition block has been successfully hidden, but the parameter values have not. Unfortunately there is no obvious way to hide it, despite it being security critical to do so.

One workaround I've discovered is to make the default computation block hidden, by adding this to the YAML header:

---
execute: 
  echo: false
---

This works, but has the downside that we now have to echo: true every subsequent block that we want to show, which is most of them.

I wonder if there is a better way to stop my parameters showing up?

This question/issue/feature request relates to #723 (comment), the status of which is not clear.

[mcanouil]

I'll take a look.
What version of Quarto CLI are you using?

Meanwhile, I wouldn't use parameters for sensitive data but environment variables, possibly defined in _environment (alongside _quarto.yml).

[mcanouil]

A bit of details, the code cell with the parameters only appears when setting the new parameters.

quarto render document.qmd --execute-param username:John

This won't display the code cell:

quarto render document.qmd

[mcanouil]

FYI, I've figured out what's the issue. That's a regression caused by:

• jupyter,parameters - do not duplicate cell label when creating papermill cell #11262

The last working version is 1.6.33.

[mcanouil]

@multimeric Thanks for the finding.
I have opened an issue:

• "Injected Parameters" code cell no longer inherits from "parameters" code cell #11990

[cderv]

We'll fix the regression, though I want to add some additional information about your usecase

Consider the following Quarto document which depends on the use of a username and password. We don't want to hardcode our authentication details into the notebook for security reasons, so we have added them as parameters.

We have a feature in Quarto to provide secrets through environment variables: https://quarto.org/docs/projects/environment.html#managing-secrets

Environment variables are accessible using computation code cells.

This could be an alternative to using parameters.

[mcanouil]

Thanks for adding the link to the documentation which I did not in my comment (#11988 (comment)).