Liman
Specification/Auth

Service Account

An identity used by NodeActor to execute nodes

A ServiceAccount defines the authentication and authorization context for node execution. It provides credentials and context variables that nodes need to access external services and resources.

Specification

kind: ServiceAccount
name: string
context?: Context
# Either one of the options below is allowed
credentials_provider?: CredentialsProvider
credentials_providers?: CredentialsProvider[]
PropTypeDefault
kind
ServiceAccount
-
name
string
-
context?
Context
-
credentials_provider?
CredentialProvider
-
credentials_providers?
CredentialProvider[]
-

Inlined

ServiceAccount can be declared in inlined format, in this case name and kind are not required

kind: Node | LLMNode | ToolNode
---
auth:
  service_account:
    name?: string
    context?: Context
    credentials_provider?: CredentialsProvider
    credentials_providers?: CredentialsProvider[]

Context

Context is a set of variables that can be injected into the service account from the external state. It can be used to provide additional information to the service account, such as user ID or organization ID. This way, only the data needed for node execution is used. Context declaration is always inlined

context:
  strict: boolean
  inject: var[]
PropTypeDefault
strict?
boolean
true
inject
var[]
-

Example

context:
  strict: true
  inject:
    - user_id: user.id
    - organization.id

Both notations are supported, so you can use var: user.id or organization.id to inject values from the state.

These would be available in the service account as context.user_id and context.organization.id variables.

CredentialsProvider

CredentialsProvider is a phantom specification - it's not declared in YAML, but should be provided to the registry during runtime. Such specifications are needed to keep the YAML specification clean and small. Before node compilation, the required CredentialsProvider should be registered in the Registry - either globally or within the node.

examples/node.py
Node.from_yaml(spec, credentials_providers=[MyCredentialsProvider()])

It accepts a service account and should return credentials in dict format.

{
    "type": "bearer",
    "data": "string"
}

or a more complex structure based on the provider type.

{
    "type": "aws_s3",
    "data": {
        "access_key_id": "string",
        "secret_access_key": "string"
    }
}

Example

This example creates a ServiceAccount that injects project and region variables from the external state and uses both GCP and AWS S3 credentials providers:

yaml
kind: ServiceAccount
name: MyServiceAccount
context:
  inject: [project_id, region]
credentials_providers:
  - GCPCredentials
  - AWSS3Credentials

Last updated on

Overlay

Overlay allows to extend nodes and other manifests

Internal Types

Internal types used in the system.