Authentication using environment variables
When using this method, the authentication mode and its parameters are defined by the environment that an application is run in, as described here.
By setting one of the following environment variables, you can control the authentication method:
YDB_SERVICE_ACCOUNT_KEY_FILE_CREDENTIALS=<path/to/sa_key_file>— use a service account key file in Yandex Cloud.YDB_ANONYMOUS_CREDENTIALS="1"— use anonymous authentication. Useful for testing against a Docker container with YDB.YDB_METADATA_CREDENTIALS="1"— use the metadata service inside Yandex Cloud (Yandex Cloud Function or VM).YDB_ACCESS_TOKEN_CREDENTIALS=<access_token>— use token-based authentication.
Below are examples of authentication using environment variables in different YDB SDKs.
Go
Java
JavaScript
Python
Python (asyncio)
PHP
Native SDK
database/sql
package main
import (
"context"
"os"
environ "github.com/ydb-platform/ydb-go-sdk-auth-environ"
"github.com/ydb-platform/ydb-go-sdk/v3"
)
func main() {
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
db, err := ydb.Open(ctx,
os.Getenv("YDB_CONNECTION_STRING"),
environ.WithEnvironCredentials(ctx),
)
if err != nil {
panic(err)
}
defer db.Close(ctx)
...
}
package main
import (
"context"
"database/sql"
"os"
environ "github.com/ydb-platform/ydb-go-sdk-auth-environ"
"github.com/ydb-platform/ydb-go-sdk/v3"
)
func main() {
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
nativeDriver, err := ydb.Open(ctx,
os.Getenv("YDB_CONNECTION_STRING"),
environ.WithEnvironCredentials(ctx),
)
if err != nil {
panic(err)
}
defer nativeDriver.Close(ctx)
connector, err := ydb.Connector(nativeDriver)
if err != nil {
panic(err)
}
db := sql.OpenDB(connector)
defer db.Close()
...
}
Native SDK
JDBC
public void work(String connectionString) {
AuthProvider authProvider = new EnvironAuthProvider();
try (GrpcTransport transport = GrpcTransport.forConnectionString(connectionString)
.withAuthProvider(authProvider)
.build();
QueryClient queryClient = QueryClient.newClient(transport).build()) {
doWork(queryClient);
}
}
public void work() throws SQLException {
// No explicit credentials: the driver reads YDB_* environment variables in the order
// described in [Authentication](../../reference/ydb-sdk/auth.md#env)
try (Connection connection = DriverManager.getConnection("jdbc:ydb:grpc://localhost:2136/local", new Properties())) {
doWork(connection);
}
}
In Spring Boot, ORMs, and other JDBC wrappers, use the same JDBC URL; credentials from the environment are picked up the same way as in the example above (for example via spring.datasource.url).
import { Driver, getCredentialsFromEnv } from 'ydb-sdk';
export async function connect(endpoint: string, database: string) {
const authService = getCredentialsFromEnv();
const driver = new Driver({endpoint, database, authService});
const timeout = 10000;
if (!await driver.ready(timeout)) {
console.log(`Driver has not become ready in ${timeout}ms!`);
process.exit(1);
}
console.log('Driver connected')
return driver
}
import os
import ydb
with ydb.Driver(
connection_string=os.environ["YDB_CONNECTION_STRING"],
credentials=ydb.credentials_from_env_variables(),
) as driver:
driver.wait(timeout=5)
...
import os
import ydb
import asyncio
async def ydb_init():
async with ydb.aio.Driver(
endpoint=os.environ["YDB_ENDPOINT"],
database=os.environ["YDB_DATABASE"],
credentials=ydb.credentials_from_env_variables(),
) as driver:
await driver.wait()
...
asyncio.run(ydb_init())
<?php
use YdbPlatform\Ydb\Ydb;
use YdbPlatform\Ydb\Auth\EnvironCredentials;
$config = [
// Database path
'database' => '/local',
// Database endpoint
'endpoint' => 'localhost:2136',
// Auto discovery (dedicated server only)
'discovery' => false,
// IAM config
'iam_config' => [
'insecure' => true,
// 'root_cert_file' => './CA.pem', // Root CA file (uncomment for dedicated server)
],
'credentials' => new EnvironCredentials()
];
$ydb = new Ydb($config);
Was the article helpful?
Previous