Configuration Specs
Configuration Specs in dlt
are Python dataclasses that define how complex configuration values,
particularly credentials, should be handled.
They specify the types, defaults, and parsing methods for these values.
Working with credentials (and other complex configuration values)โ
For example, a spec like GcpServiceAccountCredentials
manages Google Cloud Platform
service account credentials, while ConnectionStringCredentials
handles database connection strings.
As an example, let's use ConnectionStringCredentials
which represents a database connection
from dlt.sources.credentials import ConnectionStringCredentials
def query(sql: str, dsn: ConnectionStringCredentials = dlt.secrets.value):
The source above executes the sql
against database defined in dsn
. ConnectionStringCredentials
makes sure you get the correct values with correct types and understands the relevant native form of
the credentials.
Below are examples of how you can set credentials in secrets.toml
and config.toml
Example 1. Use the dictionary form.
Example 2. Use the native form.
Example 3. Use the mixed form: the password is missing in explicit dsn and will be taken from the
You can explicitly provide credentials in various forms:
query("SELECT * FROM customers", "postgres://loader@localhost:5432/dlt_data")
# or
query("SELECT * FROM customers", {"database": "dlt_data", "username": "loader"})
Built in credentialsโ
We have some ready-made credentials you can reuse:
from dlt.sources.credentials import ConnectionStringCredentials
from dlt.sources.credentials import OAuth2Credentials
from dlt.sources.credentials import GcpServiceAccountCredentials, GcpOAuthCredentials
from dlt.sources.credentials import AwsCredentials
from dlt.sources.credentials import AzureCredentials
The ConnectionStringCredentials
class handles connection string
credentials for SQL database connections.
It includes attributes for the driver name, database name, username, password, host, port,
and additional query parameters.
This class provides methods for parsing and generating connection strings.
credentials = ConnectionStringCredentials()
# Set the necessary attributes
credentials.drivername = "postgresql"
credentials.database = "my_database"
credentials.username = "my_user"
credentials.password = "my_password" = "localhost"
credentials.port = 5432
# Convert credentials to connection string
connection_string = credentials.to_native_representation()
# Parse a connection string and update credentials
native_value = "postgresql://my_user:my_password@localhost:5432/my_database"
# Get a URL representation of the connection
url_representation = credentials.to_url()
Above, you can find an example of how to use this spec with sources and TOML files.
The OAuth2Credentials
class handles OAuth 2.0 credentials, including client ID,
client secret, refresh token, and access token.
It also allows for the addition of scopes and provides methods for client authentication.
credentials = OAuth2Credentials(
scopes=["scope1", "scope2"]
# Authorize the client
# Add additional scopes
credentials.add_scopes(["scope3", "scope4"])
is a base class to implement actual OAuth, for example,
it is a base class for GcpOAuthCredentials.
GCP Credentialsโ
Google Analytics verified source: the example how to use GCP Credentials.
The GcpServiceAccountCredentials
class manages GCP Service Account credentials.
This class provides methods to retrieve native credentials for Google clients.
- You may just pass the
as string or dictionary (in code and via config providers). - Or default credentials will be used.
credentials = GcpServiceAccountCredentials()
# Parse a native value (ServiceAccountCredentials)
# Accepts a native value, which can be either an instance of ServiceAccountCredentials
# or a serialized services.json.
# Parses the native value and updates the credentials.
native_value = {"private_key": ".."} # or "path/to/services.json"
or more preferred use:
import dlt
from dlt.sources.credentials import GcpServiceAccountCredentials
def google_analytics(
property_id: str = dlt.config.value,
credentials: GcpServiceAccountCredentials = dlt.secrets.value,
# Retrieve native credentials for Google clients
# For example, build the service object for Google Analytics PI.
client = BetaAnalyticsDataClient(credentials=credentials.to_native_credentials())
# Get a string representation of the credentials
# Returns a string representation of the credentials in the format client_email@project_id.
credentials_str = str(credentials)
while secrets.toml
looks as following:
client_id = "client_id" # please set me up!
client_secret = "client_secret" # please set me up!
refresh_token = "refresh_token" # please set me up!
project_id = "project_id" # please set me up!
and config.toml
property_id = "213025502"
The GcpOAuthCredentials
class is responsible for handling OAuth2 credentials for
desktop applications in Google Cloud Platform (GCP).
It can parse native values either as GoogleOAuth2Credentials
or as
serialized OAuth client secrets JSON.
This class provides methods for authentication and obtaining access tokens.
oauth_credentials = GcpOAuthCredentials()
# Accepts a native value, which can be either an instance of GoogleOAuth2Credentials
# or serialized OAuth client secrets JSON.
# Parses the native value and updates the credentials.
native_value_oauth = {"client_secret": ...}
or more preferred use:
import dlt
from dlt.sources.credentials import GcpOAuthCredentials
def google_analytics(
property_id: str = dlt.config.value,
credentials: GcpOAuthCredentials = dlt.secrets.value,
# Authenticate and get access token
credentials.auth(scopes=["scope1", "scope2"])
# Retrieve native credentials for Google clients
# For example, build the service object for Google Analytics PI.
client = BetaAnalyticsDataClient(credentials=credentials.to_native_credentials())
# Get a string representation of the credentials
# Returns a string representation of the credentials in the format client_id@project_id.
credentials_str = str(credentials)
while secrets.toml
looks as following:
client_id = "client_id" # please set me up!
client_secret = "client_secret" # please set me up!
refresh_token = "refresh_token" # please set me up!
project_id = "project_id" # please set me up!
and config.toml
property_id = "213025502"
In order for auth()
method to succeed:
- You must provide valid
in order to get a current access token and authenticate with OAuth. Mind that therefresh_token
must contain all the scopes that you require for your access. - If
is not provided, and you run the pipeline from a console or a notebook,dlt
will use InstalledAppFlow to run the desktop authentication flow.
Google Analytics example: how you can get the refresh token using dlt.secrets.value
If configuration values are missing, dlt
will use the default Google credentials (from default()
) if available.
Read more about Google defaults.
will try to fetch theproject_id
from default credentials. If the project id is missing, it will look forproject_id
in the secrets. So it is normal practice to pass partial credentials (justproject_id
) and take the rest from defaults.
The AwsCredentials
class is responsible for handling AWS credentials,
including access keys, session tokens, profile names, region names, and endpoint URLs.
It inherits the ability to manage default credentials and extends it with methods
for handling partial credentials and converting credentials to a botocore session.
credentials = AwsCredentials()
# Set the necessary attributes
credentials.aws_access_key_id = "ACCESS_KEY_ID"
credentials.aws_secret_access_key = "SECRET_ACCESS_KEY"
credentials.region_name = "us-east-1"
# Imports an external boto3 session and sets the credentials properties accordingly.
import botocore.session
credentials = AwsCredentials()
session = botocore.session.get_session()
or more preferred use:
def aws_readers(
bucket_url: str = dlt.config.value,
credentials: AwsCredentials = dlt.secrets.value,
# Convert credentials to s3fs format
s3fs_credentials = credentials.to_s3fs_credentials()
# Get AWS credentials from botocore session
aws_credentials = credentials.to_native_credentials()
while secrets.toml
looks as following:
aws_access_key_id = "key_id"
aws_secret_access_key = "access_key"
region_name = "region"
and config.toml
bucket_url = "bucket_url"
If configuration is not provided, dlt
uses the default AWS credentials (from .aws/credentials
) as present on the machine:
- It works by creating an instance of botocore Session.
- If
is specified, the credentials for that profile are used. If not - the default profile is used.
The AzureCredentials
class is responsible for handling Azure Blob Storage credentials,
including account name, account key, Shared Access Signature (SAS) token, and SAS token permissions.
It inherits the ability to manage default credentials and extends it with methods for
handling partial credentials and converting credentials to a format suitable
for interacting with Azure Blob Storage using the adlfs library.
credentials = AzureCredentials()
# Set the necessary attributes
credentials.azure_storage_account_name = "ACCOUNT_NAME"
credentials.azure_storage_account_key = "ACCOUNT_KEY"
or more preferred use:
def azure_readers(
bucket_url: str = dlt.config.value,
credentials: AzureCredentials = dlt.secrets.value,
# Generate a SAS token
# Convert credentials to adlfs format
adlfs_credentials = credentials.to_adlfs_credentials()
# to_native_credentials() is not yet implemented
while secrets.toml
looks as following:
azure_storage_account_name = "account_name"
azure_storage_account_key = "account_key"
and config.toml
bucket_url = "bucket_url"
If configuration is not provided, dlt
uses the default credentials using DefaultAzureCredential
Working with alternatives of credentials (Union types)โ
If your source/resource allows for many authentication methods, you can support those seamlessly for
your user. The user just passes the right credentials and dlt
will inject the right type into your
decorated function.
def zen_source(credentials: Union[ZenApiKeyCredentials, ZenEmailCredentials, str] = dlt.secrets.value, some_option: bool = False):
# depending on what the user provides in config, ZenApiKeyCredentials or ZenEmailCredentials will be injected in `credentials` argument
# both classes implement `auth` so you can always call it
return dlt.resource([credentials], name="credentials")
# pass native value
os.environ["CREDENTIALS"] = "email:mx:pwd"
assert list(zen_source())[0].email == "mx"
# pass explicit native value
assert list(zen_source("secret:๐:secret"))[0].api_secret == "secret"
# pass explicit dict
assert list(zen_source(credentials={"email": "emx", "password": "pass"}))[0].email == "emx"
This applies not only to credentials but to all specs (see next chapter).
Read the whole test, it shows how to create unions of credentials that derive from the common class, so you can handle it seamlessly in your code.
Writing custom specsโ
specs let you take full control over the function arguments:
- Which values should be injected, the types, default values.
- You can specify optional and final fields.
- Form hierarchical configurations (specs in specs).
- Provide own handlers for
(called before failing on missing config key) oron_resolved
. - Provide own native value parsers.
- Provide own default credentials logic.
- Adds all Python dataclass goodies to it.
- Adds all Python
goodies to it (specs
instances can be created from dicts and serialized from dicts).
This is used a lot in the dlt
core and may become useful for complicated sources.
In fact, for each decorated function a spec is synthesized. In case of google_sheets
class is created:
from dlt.sources.config import configspec, with_config
class GoogleSheetsConfiguration(BaseConfiguration):
tab_names: List[str] = None # manadatory
credentials: GcpServiceAccountCredentials = None # mandatory secret
only_strings: Optional[bool] = False
All specs derive from BaseConfigurationโ
This class serves as a foundation for creating configuration objects with specific characteristics:
It provides methods to parse and represent the configuration in native form (
).It defines methods for accessing and manipulating configuration fields.
It implements a dictionary-compatible interface on top of the dataclass. This allows instances of this class to be treated like dictionaries.
It defines helper functions for checking if a certain attribute is present, if a field is valid, and for calling methods in the method resolution order (MRO).
More information about this class can be found in the class docstrings.
All credentials derive from CredentialsConfigurationโ
This class is a subclass of BaseConfiguration
and is meant to serve as a base class for handling various types of credentials.
It defines methods for initializing credentials, converting them to native representations,
and generating string representations while ensuring sensitive information is appropriately handled.
More information about this class can be found in the class docstrings.