Skip to main content

Credentials

OnehouseResources resolves each credential field independently from three sources, in order (highest wins):

  1. Explicit constructor arguments
  2. Environment variablesONEHOUSE_ACCOUNT_UID, ONEHOUSE_PROJECT_UID, ONEHOUSE_API_KEY, ONEHOUSE_API_SECRET, ONEHOUSE_LINK_UID, ONEHOUSE_REGION, ONEHOUSE_USER_UID. Optional: ONEHOUSE_BASE_URL, ONEHOUSE_PROFILE, ONEHOUSE_CREDENTIALS_FILE.
  3. Credentials file at ~/.onehouse/credentials (override the path with ONEHOUSE_CREDENTIALS_FILE or the credentials_file= constructor arg)

Resolution is per field — you can supply some fields from the constructor and let the rest fall through to the env or the file.

1. Explicit constructor arguments

from onehouse_python_sdk import OnehouseResources

client = OnehouseResources(
    account_uid="92e5f1ab-...",
    project_uid="3afe72cd-...",
    api_key="j+m8wRhgpKYFTLxCHNDzQA==",
    api_secret="tXpzrqfUBNK9yhS5+FmLM37xwfhVeZygJntCzHG4Dpq=",
    link_uid="da56fe8b-...",
    region="us-west-2",
    user_uid="11d6f8ce-...",
)

Best for tests and short scripts. Avoid hard-coding secrets in production code.

2. Environment variables

export ONEHOUSE_ACCOUNT_UID=92e5f1ab-...
export ONEHOUSE_PROJECT_UID=3afe72cd-...
export ONEHOUSE_API_KEY=j+m8wRhgpKYFTLxCHNDzQA==
export ONEHOUSE_API_SECRET=tXpzrqfUBNK9yhS5+FmLM37xwfhVeZygJntCzHG4Dpq=
export ONEHOUSE_LINK_UID=da56fe8b-...
export ONEHOUSE_REGION=us-west-2
export ONEHOUSE_USER_UID=11d6f8ce-...
client = OnehouseResources()   # all fields read from the environment

Best for CI, containers, and serverless runtimes that already inject secrets as env vars.

3. Credentials file

client = OnehouseResources()   # reads ~/.onehouse/credentials, [default] profile

The file can be either INI or JSON — the format is auto-detected from the first non-whitespace character ({ means JSON, anything else is treated as INI). The JSON format is what the Onehouse CLI writes; pick INI if you're editing by hand.

INI format (AWS-style)

# ~/.onehouse/credentials
[default]
account_uid = 92e5f1ab-...
project_uid = 3afe72cd-...
api_key     = j+m8wRhgpKYFTLxCHNDzQA==
api_secret  = tXpzrqfUBNK9yhS5+FmLM37xwfhVeZygJntCzHG4Dpq=
link_uid    = da56fe8b-...
region      = us-west-2
user_uid    = 11d6f8ce-...

JSON format (Onehouse CLI)

{
  "_default": "production",
  "production": {
    "account_uid": "92e5f1ab-...",
    "project_uid": "3afe72cd-...",
    "api_key": "j+m8wRhgpKYFTLxCHNDzQA==",
    "api_secret": "tXpzrqfUBNK9yhS5+FmLM37xwfhVeZygJntCzHG4Dpq=",
    "request_id": "da56fe8b-...",
    "project_region": "us-west-2",
    "user_id": "11d6f8ce-..."
  }
}

The CLI uses request_id, project_region, and user_id instead of the SDK field names — the loader translates both forms.

Profiles

Use profiles when one machine needs to talk to multiple Onehouse environments (e.g. staging and production). Each profile is a self-contained credential set; you pick one at client construction.

INI profile selection

# ~/.onehouse/credentials
[default]
account_uid = ...
project_uid = ...
# ...

[staging]
account_uid = ...
project_uid = ...
# ...

[production]
account_uid = ...
project_uid = ...
# ...
# Use [default]
client = OnehouseResources()

# Pick a named profile
staging = OnehouseResources(profile="staging")
production = OnehouseResources(profile="production")

You can also select a profile via ONEHOUSE_PROFILE:

export ONEHOUSE_PROFILE=staging
client = OnehouseResources()   # reads [staging]

JSON profile selection

The top-level _default key picks the profile when none is explicitly named:

{
  "_default": "staging",
  "staging":    { "account_uid": "...", "project_uid": "...", "...": "..." },
  "production": { "account_uid": "...", "project_uid": "...", "...": "..." }
}
client = OnehouseResources()                       # reads "staging" (the _default)
production = OnehouseResources(profile="production")

If the JSON file has no _default and no profile is passed, the loader raises AuthError listing the available profiles.

Pointing at a non-default file

client = OnehouseResources(credentials_file="/secrets/onehouse.creds", profile="ci")
export ONEHOUSE_CREDENTIALS_FILE=/secrets/onehouse.creds

Failure modes

  • Missing fields raise AuthError listing exactly which fields are unset, the env-var names for each, and the file path / profile that was checked.
  • World-readable credentials file (any group or other bits set) triggers a warning. Run chmod 600 ~/.onehouse/credentials to fix.
  • Malformed file raises AuthError with the parser error and the file path.