Authentication in the SDK

As we discussed in the YDB server connection article, the client must add an authentication token to each request. The authentication token is checked by the server. If the authentication is successful, the request is authorized and executed. Otherwise, the Unauthenticated error returns.

The YDB SDK uses an object that is responsible for generating these tokens. SDK provides built-in methods for getting such an object:

  1. The methods that pass parameters explicitly, with each method implementing a certain authentication mode.
  2. The method that determines the authentication mode and relevant parameters based on environmental variables.

Usually, you create a token generation object before you initialize the YDB driver, and you pass the object to the driver constructor as a parameter. The C++ and Go SDKs additionally let you work with multiple databases and token generation objects through a single driver.

If the token generation object is not defined, the driver won't add any authentication data to the requests. This approach enables you to successfully connect to locally deployed YDB clusters without enabling mandatory authentication. If you enable mandatory authentication, database requests without an authentication token will be rejected with an authentication error.

Methods for creating token generation objects

You can click any of the methods below to go to the source code of an example in the repository. You can also learn about the authentication code recipes.

Mode Method
Anonymous ydb.AnonymousCredentials()
Access Token ydb.AccessTokenCredentials( token )
Metadata ydb.iam.MetadataUrlCredentials()
Service Account Key ydb.iam.ServiceAccountCredentials.from_file(
key_file, iam_endpoint=None, iam_channel_credentials=None )
Determined by environment variables ydb.credentials_from_env_variables()
Mode Method
Anonymous ydb::StaticToken("")
Access Token ydb::StaticToken(token)
Metadata ydb::GCEMetadata, ydb::YandexMetadata
Static Credentials ydb::StaticCredentialsAuth
Service Account Key not supported
Determined by environment variables not supported
Execution of an external command ydb.CommandLineYcToken (for example, for authentication using a Yandex.Cloud IAM token from the developer's computer ydb::CommandLineYcToken.from_cmd("yc iam create-token"))

Procedure for determining the authentication mode and parameters from the environment

The following algorithm that is the same for all SDKs applies:

  1. If the value of the YDB_SERVICE_ACCOUNT_KEY_FILE_CREDENTIALS environment variable is set, the System Account Key authentication mode is used and the key is taken from the file whose name is specified in this variable.
  2. Otherwise, if the value of the YDB_ANONYMOUS_CREDENTIALS environment variable is set to 1, the anonymous authentication mode is used.
  3. Otherwise, if the value of the YDB_METADATA_CREDENTIALS environment variable is set to 1, the Metadata authentication mode is used.
  4. Otherwise, if the value of the YDB_ACCESS_TOKEN_CREDENTIALS environment variable is set, the Access token authentication mode is used, where the this variable value is passed.
  5. Otherwise, the Metadata authentication mode is used.

If the last step of the algorithm is selecting the Metadata mode, you can deploy a working application on VMs and in Yandex.Cloud Cloud Functions without setting any environment variables.

Peculiarities of YDB Python SDK v2 (deprecated version)

Warning

The behavior of the YDB Python SDK v2 (deprecated version) differs from the above-described version.

  • The algorithm of the construct_credentials_from_environ() function from the YDB Python SDK v2:
    • If the value of the USE_METADATA_CREDENTIALS environment variable is set to 1, the Metadata authentication mode is used.
    • Otherwise, if the value of the YDB_TOKEN environment variable is set, the Access Token authentication mode is used, where this variable value is passed.
    • Otherwise, if the value of the SA_KEY_FILE environment variable is set, the System Account Key authentication mode is used and the key is taken from the file whose name is specified in this variable.
    • Or else, no authentication information is added to requests.
  • If no object responsible for generating tokens is passed when initializing the driver, the general procedure for reading environment variables applies.