Configuration Variables
Configuration is passed to the Sundeck Private Broker via environment variables. The following environment variables are required to run the Sundeck Private Broker. The Private Broker is a stateless service, so it is safe to restart the service at any time to apply new configuration.
Note these variables can be set in a variety of ways, including directly in the Docker run command, in a Kubernetes deployment manifest, or in a Docker Compose file. The method of setting these variables will depend on the deployment method chosen.
In addition, the Private Broker can be configured to use a Hashicorp Vault instance to store sensitive information such as Snowflake service account credentials. If you choose to use Vault, many of the environment variables below will not be required, as the Private Broker will fetch the necessary configuration from Vault at runtime.
There are a number of environment variables listed in the table below which pertain to the Sundeck Service Account user in Snowflake. The Sundeck Private Broker makes use of this Snowflake Service Account login to periodically fetch the contents of Pinned Tables, which are cached in broker memory for fast access during broker rules processing.
Note that user queries are not executed using this Service Account user; queries are always executed as the user connecting to the broker.
| Env variable name | Sample value | Description |
|---|---|---|
| SUNDECK_BROKER_REST_API_PATH | https://api.sundeck.io/us-west-2/v1 | The base url for control plane REST APIs - private broker uses this to fetch broker configuration Note that you should provide the URL which corresponds to your Sundeck region. Valid values are: https://api.sundeck.io/us-east-1/v1https://api.sundeck.io/us-east-2/v1https://api.sundeck.io/us-west-2/v1 |
| SUNDECK_BROKER_PORT | 8080 | The TCP port on which the Sundeck Broker HTTP service listens. Note that SQL clients should not connect to this port directly; connections from clients should be via HTTPS, terminated on a load balancer which then routes to this port over HTTP |
| SUNDECK_BROKER_TOKEN | sndk_gp6xxx | This token is used by the private broker to authenticate with the Sundeck SaaS Control Plane. Broker tokens can be generated via the SaaS UI, or by running Sundeck DDL through a connection to the Broker: CREATE OR REPLACE SUNDECK TOKEN MY_BROKER_TOKEN PURPOSE = BROKER;If Vault integration is used, will be populated from Vault |
| SUNDECK_SF_USERNAME | xx@abc.com | Snowflake username for the Sundeck Service Account user. This user will need to have SELECT rights on any tables in Snowflake which are to be used as Pinned TablesIf Vault integration is used, will be populated from Vault |
| SUNDECK_SF_PASSWORD | yyyyyy | Snowflake password for the Sundeck Service Account user If Vault integration is used, will be populated from Vault |
| SUNDECK_SF_WAREHOUSE | COMPUTE_WH | Snowflake Warehouse to be used by the Sundeck Service Account user (for reading Pinned Tables) If Vault integration is used, will be populated from Vault |
| SUNDECK_SF_ROLE | PUBLIC | Snowflake Role to be assumed by the Sundeck Service Account user If Vault integration is used, will be populated from Vault |
| SUNDECK_SF_PRIVATEKEY | MIIFHDBOBgkq… | RSA private key (can be encrypted or unencrypted), for use if the Sundeck Service Account user is configured for keypair authentication. Please see https://docs.snowflake.com/en/user-guide/key-pair-auth If Vault integration is used, will be populated from Vault |
| SUNDECK_SF_PRIVATEKEY_PASSPHRASE | <passphrase> | Only required IF keypair encryption is being used, and the RSA key passed to SUNDECK_SF_PRIVATEKEY has been encrypted with a passphrase.If Vault integration is used, will be populated from Vault |
| SUNDECK_BROKER_SSL_CERT | -----BEGIN CERTIFICATE-----MIIDlDCCAxug...-----END CERTIFICATE----------BEGIN PRIVATE KEY-----MIGHAgEAMB...-----END PRIVATE KEY----- | If this config is set, private broker will host HTTPS/SSL endpoint instead of HTTP endpoint. This string value should be the PEM-formatted Certificate concatenated with the PEM-formatted private key (i.e. with the -----BEGIN xxxx----- and -----END xxxx----- lines included.)If Vault integration is used, will be populated from Vault |
| SUNDECK_BROKER_SSL_CERT_PASSPHRASE | <passphrase> | Only to be given if SUNDECK_BROKER_SSL_CERT has an encrypted private key. If Vault integration is used, will be populated from Vault |
| Integration type | Env variable name | Sample value | Description |
|---|---|---|---|
| hashicorp/vault | VAULT_ADDR | http://192.168.64.1:8200 | URL of the vault location (hashicorp) |
| hashicorp/vault | VAULT_TOKEN | myroot | Token to access vault (hashicorp) |
| Env variable name | Default value | Description |
|---|---|---|
| SUNDECK_LOG_LEVEL | INFO | This value will be used as the log level. Set to DEBUG for debugging |
| SUNDECK_BROKER_FLOW_CACHE_TTL_SECONDS | 120 | The polling interval at which the Private Broker will attempt to fetch configuration information from the Sundeck SaaS Control Plane. |