Authentication in the SDK
As we discussed in the YDB server connection article, the client must add an authentication token to each request. The authentication token is checked by the server. If the authentication is successful, the request is authorized and executed. Otherwise, the Unauthenticated error returns.
The YDB SDK uses an object that is responsible for generating these tokens. SDK provides built-in methods for getting such an object:
- The methods that pass parameters explicitly, with each method implementing a certain authentication mode.
- The method that determines the authentication mode and relevant parameters based on environmental variables.
Usually, you create a token generation object before you initialize the YDB driver, and you pass the object to the driver constructor as a parameter. The C++ and Go SDKs additionally let you work with multiple databases and token generation objects through a single driver.
If the token generation object is not defined, the driver won't add any authentication data to the requests. This approach enables you to successfully connect to locally deployed YDB clusters without enabling mandatory authentication. If you enable mandatory authentication, database requests without an authentication token will be rejected with an authentication error.
Methods for creating token generation objects
You can click any of the methods below to go to the source code of an example in the repository. You can also learn about the authentication code recipes.
| Mode | Method |
|---|---|
| Anonymous | ydb.AnonymousCredentials() |
| Access Token | ydb.AccessTokenCredentials( token ) |
| Metadata | ydb.iam.MetadataUrlCredentials() |
| Service Account Key | ydb.iam.ServiceAccountCredentials.from_file(key_file, iam_endpoint=None, iam_channel_credentials=None ) |
| Determined by environment variables | ydb.credentials_from_env_variables() |
| Mode | Package | Method |
|---|---|---|
| Anonymous | ydb-go-sdk/v3 | ydb.WithAnonymousCredentials() |
| Access Token | ydb-go-sdk/v3 | ydb.WithAccessTokenCredentials(token) |
| Metadata | ydb-go-yc | yc.WithMetadataCredentials(ctx) |
| Service Account Key | ydb-go-yc | yc.WithServiceAccountKeyFileCredentials(key_file) |
| Static Credentials | ydb-go-sdk/v3 | ydb.WithStaticCredentials(user, password) |
| Determined by environment variables | ydb-go-sdk-auth-environ | environ.WithEnvironCredentials(ctx) |
| Mode | Method |
|---|---|
| Anonymous | tech.ydb.core.auth.NopAuthProvider.INSTANCE |
| Access Token | new tech.ydb.core.auth.TokenAuthProvider(accessToken); |
| Metadata | tech.ydb.auth.iam.CloudAuthHelper.getMetadataAuthProvider(); |
| Service Account Key | tech.ydb.auth.iam.CloudAuthHelper.getServiceAccountFileAuthProvider(saKeyFile); |
| Determined by environment variables | tech.ydb.auth.iam.CloudAuthHelper.getAuthProviderFromEnviron(); |
| Mode | Method |
|---|---|
| Anonymous | AnonymousAuthService() |
| Access Token | TokenAuthService( accessToken, database ) |
| Metadata | MetadataAuthService( database ) |
| Service Account Key | getSACredentialsFromJson( saKeyFile ) |
| Static Credentials | StaticCredentialsAuthService( user, password, endpoint ) |
| Determined by environment variables | getCredentialsFromEnv( entryPoint, database, logger ) |
| Mode | Method |
|---|---|
| Anonymous | ydb::StaticToken("") |
| Access Token | ydb::StaticToken(token) |
| Metadata | ydb::GCEMetadata, ydb::YandexMetadata |
| Service Account Key | not supported |
| Determined by environment variables | not supported |
| Execution of an external command | ydb.CommandLineYcToken (for example, for authentication using a Yandex.Cloud IAM token from the developer's computer ydb::CommandLineYcToken.from_cmd("yc iam create-token")) |
Procedure for determining the authentication mode and parameters from the environment
The following algorithm that is the same for all SDKs applies:
- If the value of the
YDB_SERVICE_ACCOUNT_KEY_FILE_CREDENTIALSenvironment variable is set, the System Account Key authentication mode is used and the key is taken from the file whose name is specified in this variable. - Otherwise, if the value of the
YDB_ANONYMOUS_CREDENTIALSenvironment variable is set to 1, the anonymous authentication mode is used. - Otherwise, if the value of the
YDB_METADATA_CREDENTIALSenvironment variable is set to 1, the Metadata authentication mode is used. - Otherwise, if the value of the
YDB_ACCESS_TOKEN_CREDENTIALSenvironment variable is set, the Access token authentication mode is used, where the this variable value is passed. - Otherwise, the Metadata authentication mode is used.
If the last step of the algorithm is selecting the Metadata mode, you can deploy a working application on VMs and in Yandex.Cloud Cloud Functions without setting any environment variables.
Peculiarities of YDB Python SDK v2 (deprecated version)
Warning
The behavior of the YDB Python SDK v2 (deprecated version) differs from the above-described version.
- The algorithm of the
construct_credentials_from_environ()function from the YDB Python SDK v2:- If the value of the
USE_METADATA_CREDENTIALSenvironment variable is set to 1, the Metadata authentication mode is used. - Otherwise, if the value of the
YDB_TOKENenvironment variable is set, the Access Token authentication mode is used, where this variable value is passed. - Otherwise, if the value of the
SA_KEY_FILEenvironment variable is set, the System Account Key authentication mode is used and the key is taken from the file whose name is specified in this variable. - Or else, no authentication information is added to requests.
- If the value of the
- If no object responsible for generating tokens is passed when initializing the driver, the general procedure for reading environment variables applies.