MySQL
To connect to an Oracle Database, you need the following:
user name
password
hostname
port, the default is 3306
The MySQLDBSecretKeeper
class saves the Oracle Database credentials to the OCI Vault service.
Saving Credentials
Prerequisites
OCID of the vault created in the OCI Console.
OCID of the master key to use for encrypting the secret content stored inside the vault.
OCID of the compartment where the vault resides. This defaults to the compartment of the notebook session when used in a Data Science notebook session.
MySQLDBSecretKeeper
You can use the following parameters with MySQLDBSecretKeeper:
user_name: str
. The user name to be stored.password: str
. The password of the database.host: str
. The hostname of the database.port: (str, optional). Default 3306
. Port number of the database service.database: (str, optional)
. The database name if available.vault_id: str
. OCID of the vault.key_id: str
. OCID of the master key used for encrypting the secret.compartment_id: str
. OCID of the compartment where the vault is located. Defaults to the compartment of the notebook session when used in a Data Science notebook session.
MySQLDBSecretKeeper.save
MySQLDBSecretKeeper.save
API serializes and stores the credentials to the vault using the following parameters:
name (str)
– Name of the secret when saved in the vault.description (str)
– Description of the secret when saved in the vault.freeform_tags (dict, optional)
– Freeform tags to be used for saving the secret in the OCI Console.defined_tags (dict, optional.)
– Save the tags under predefined tags in the OCI Console.
The secret content has the following options:
user_name
password
host
port
database
Examples
Saving DB credentials
import ads
from ads.secrets.mysqldb import MySQLDBSecretKeeper
vault_id = "ocid1.vault.oc1..<unique_ID>"
key_id = "ocid1.key..<unique_ID>"
ads.set_auth("resource_principal") # If using resource principal for authentication
connection_parameters={
"user_name":"<your user name>",
"password":"<your password>",
"service_name":"service_name",
"host":"<db host>",
"port":"<db port>",
}
mysqldb_keeper = MySQLDBSecretKeeper(vault_id=vault_id,
key_id=key_id,
**connection_parameters)
mysqldb_keeper.save("mysqldb_employee", "My DB credentials", freeform_tags={"schema":"emp"})
print(mysqldb_keeper.secret_id) # Prints the secret_id of the stored credentials
'ocid1.vaultsecret.oc1..<unique_ID>'
You can save the vault details in a file for later reference, or use it in your code using export_vault_details
API calls. The API currently enables you to export the information as a YAML file or a JSON file.
mysqldb_keeper.export_vault_details("my_db_vault_info.json", format="json")
To save as a YAML file:
mysqldb_keeper.export_vault_details("my_db_vault_info.yaml", format="yaml")
Loading Credentials
Prerequisite
OCID of the secret stored in the Vault service.
MySQLDBSecretKeeper.load_secret
MySQLDBSecretKeeper.load_secret
API deserializes and loads the credentials from the vault. You could use this API in one of
the following ways:
Using a with
statement:
with MySQLDBSecretKeeper.load_secret('ocid1.vaultsecret.oc1..<unique_ID>') as mysqldb_secret:
print(mysqldb_secret['user_name']
Without using a with
statement:
mysqldb_secretobj = MySQLDBSecretKeeper.load_secret('ocid1.vaultsecret.oc1..<unique_ID>')
mysqldb_secret = mysqldb_secretobj.to_dict()
print(mysqldb_secret['user_name'])
load_secret
takes following parameters:
source
: Either the file that was exported fromexport_vault_details
, or the OCID of the secret.format
: (Optional) Ifsource
is a file, then this value must bejson
oryaml
depending on the file format.export_env
: The default isFalse
. If set toTrue
, the credentials are exported as environment variabled when used with thewith
operator.export_prefix
: The default name for environment variable is user_name, password, service_name. and wallet_location. You can add a prefix to avoid name collision.auth
: Provide overridingauth
information if theauth
information is different from theads.set_auth
setting.
Examples
Access Credentials with a With Statement
import ads
ads.set_auth('resource_principal') # If using resource principal authentication
from ads.secrets.mysqldb import MySQLDBSecretKeeper
with MySQLDBSecretKeeper.load_secret(
"ocid1.vaultsecret.oc1..<unique_ID>"
) as mysqldb_creds2:
print (mysqldb_creds2["user_name"]) # Prints the user name
print (mysqldb_creds2["user_name"]) # Prints nothing. The credentials are cleared from the dictionary outside the ``with`` block
Contextually Export Credentials as an Environment Variable Using a With Statement
To expose credentials as an environment variable, set export_env=True
. The following keys are exported:
Secret attribute |
Environment Variable Name |
---|---|
user_name |
user_name |
password |
password |
host |
host |
port |
port |
database |
database |
import os
import ads
ads.set_auth('resource_principal') # If using resource principal authentication
from ads.secrets.mysqldb import MySQLDBSecretKeeper
with MySQLDBSecretKeeper.load_secret(
"ocid1.vaultsecret.oc1..<unique_ID>",
export_env=True
):
print(os.environ.get("user_name")) # Prints the user name
print(os.environ.get("user_name")) # Prints nothing. The credentials are cleared from the dictionary outside the ``with`` block
Avoiding Name Collision with Your Existing Environment Variables
You can avoid name collision by setting a prefix string using export_prefix
along with export_env=True
. For example, if you set prefix as myprocess
,
then the keys are exported as:
Secret attribute |
Environment Variable Name |
---|---|
user_name |
myprocess.user_name |
password |
myprocess.password |
host |
myprocess.host |
port |
myprocess.port |
database |
myprocess.database |
import os
import ads
ads.set_auth('resource_principal') # If using resource principal authentication
from ads.secrets.mysqldb import MySQLDBSecretKeeper
with MySQLDBSecretKeeper.load_secret(
"ocid1.vaultsecret.oc1..<unique_ID>",
export_env=True,
export_prefix="myprocess"
):
print(os.environ.get("myprocess.user_name")) # Prints the user name
print(os.environ.get("myprocess.user_name")) # Prints nothing. The credentials are cleared from the dictionary outside the ``with`` block