Authentication in the SDK

    The YDB SDK uses an object that is responsible for generating these tokens. The SDK provides built-in methods for obtaining this object:

    1. Methods with parameters passed explicitly, each of the methods implements a certain authentication mode.
    2. A method that determines the authentication mode and the necessary parameters from environment variables.

    Usually, you create a token generation object before you initialize the YDB driver, and you pass the object to the driver constructor as a parameter. The C++ and Go SDKs additionally let you work with multiple databases and token generation objects through a single driver.

    If a token generation object is not defined, the driver won’t add any authentication information to requests. This may let you successfully connect to locally deployed YDB clusters with no mandatory authentication configured. If it is configured, DB requests without an authentication token will be rejected with an authentication error returned.

    Python

    Go

    Java

    The following algorithm that is the same for all SDKs applies:

    1. If the value of the YDB_SERVICE_ACCOUNT_KEY_FILE_CREDENTIALS environment variable is set, the System Account Key authentication mode is used and the key is taken from the file whose name is specified in this variable.
    2. Otherwise, if the value of the environment variable is set to 1, the anonymous authentication mode is used.
    3. Otherwise, if the value of the YDB_METADATA_CREDENTIALS environment variable is set to 1, the Metadata authentication mode is used.
    4. Otherwise, the Metadata authentication mode is used.

    If the last step of the algorithm is selecting the Metadata mode, you can deploy a working application on VMs and in Cloud Functions in Yandex.Cloud without setting any environment variables.

    Warning

    1. The algorithm for determining the authentication mode and the necessary parameters from the environment variables in the method differs from the one used in other SDKs:
      • If the value of the USE_METADATA_CREDENTIALS environment variable is set to 1, the Metadata authentication mode is used.
      • Otherwise, if the value of the YDB_TOKEN environment variable is set, the Access Token authentication mode is used, where this variable value is passed.
      • Otherwise, if the value of the environment variable is set, the System Account Key authentication mode is used and the key is taken from the file whose name is specified in this variable.
    2. If no object responsible for generating tokens is passed when initializing the driver, the for reading environment variable values applies.