Domino’s environment variables give you a safe and easy way to inject sensitive configuration into the execution of your analysis or models.
Environment variables are stored securely. They can only be modified by the owners of the project or the editors of a model. They are not tied to the version history of your project or model, so they can easily be revoked.
Your code might have to connect to external resources, like a database or S3. Often these connections are authenticated through a secure password, key, or token. Do not include this type of secure configuration directly in your source because:
-
You might want to share source files but not the credentials.
-
It’s difficult to scrub references to those credentials from a version control system like Git or Domino.
-
You might want only a more privileged user (like the project owner) to change certain configuration parameters. If configuration is all done through code, then all users that can modify the scripts can change the configuration.
Domino recommends that you store your configuration and permission separately, and have it injected when your code executes.
Use environment variables to set up the secure configuration to be injected when the project executes.
-
Go to the Settings tab on the project.
-
In the Environment variables section, add the key/value pairs that will be injected as environment variables:
The values are passed verbatim, so escaping is not required. The value has a 64K length limit.
You can also configure environment variables on a per-user basis. The system injects these variables at execution time for any run that the user starts.
User Environment variables are automatically imported into runs across all projects, and can be accessed like any other Environment Variables. User-specific environment variables are not used or available in models.
-
Click your username and then select Account Settings to open the Account Settings page.
-
Go to the User environment variables section.
-
Configure variables for your user account in the same way as project environment variables (described previously).
Use environment variables to set up your secure configuration to be injected at execution.
-
Go to the Settings tab on the model to configure.
-
In the Environment section, add key/value pairs that will be injected as environment variables at execution.
The values are passed verbatim, so no escaping is required. The value has a 64K length limit.
When you add a variable the values are pushed to all running model versions.
Project level and user level environment variables are not used in Models and must be set separately on the model.
If you want to reference custom-defined environment variables in the
pre- or post-setup script of your custom compute environment, you’ll
need to make sure the variable name has the prefix DRT\_
.
You can set the same variable in different places. Each level overrides the previous one in the following order:
-
Compute environment
-
Project
-
User Account
The following shows an example for how a variable’s values can be set and the expected result:
Place set | Run#1 | Run#2 | Run#3 |
Compute Environment | A | A | A |
Project | - | B | B |
User Account | - | - | C |
Run Result | A | B | C |
Every language has its own way of reading environment variables. In Python, it might look like this:
import os
s3 = S3Client(os.environ['S3_KEY'], os.environ['S3_SECRET'])
For more details, see Python help.
In R, it might look like this:
makeS3Client(Sys.getenv("S3_KEY"), Sys.getenv("S3_SECRET"))
For more details, see R help.