Environment Variables
The Request Manager Agent uses environment variables to configure its runtime behavior and connections. You'll need to set variables for your DataGrail domain, Agent API Key, credentials manager provider, and optionally cloud storage for handling sensitive data. This page documents all required and optional environment variables, including cloud provider credentials for local development.
Variables
| Name | Description | Default |
|---|---|---|
| RM_CUSTOMER_DOMAIN | string (required) Your DataGrail domain (e.g. yourcompany.datagrail.io). | None |
| RM_PLATFORM_CREDENTIALS_LOCATION | string (required) Secret location for platform API key (e.g. AWS Secrets Manager ARN). | None |
| RM_CREDENTIALS_MANAGER | object(CredentialsManager) (required) JSON string describing the credentials provider. | None |
| RM_STORAGE_MANAGER | object(StorageManager) (optional) JSON string describing the storage provider. | None |
| RM_REDIS_URL | string (optional) Connection string for a remote Redis instance. | redis://localhost:6379 |
| RM_JOB_TIMEOUT_SECONDS | integer (optional) Max time (seconds) for a single job before timeout. | 3600 |
| LOGLEVEL | string (optional) Logging level. | WARNING |
CredentialsManager Schema
The CredentialsManager object defines metadata about the credentials manager used by the Agent. A credentials manager is used to store client credentials, connection strings, PEM keys, API tokens, etc. that authenticate the Agent's various requests.
| Fields | Description |
|---|---|
| provider | enum(CredentialsManagerProvider) (required) The credentials manager provider. |
| options | object(CredentialsManagerOptions) (optional) Metadata about the credentials manager. |
CredentialsManagerProvider
The CredentialsManager field specifies which credentials management provider the Agent connects to for secure retrieval of secrets.
| Providers | Description | Required Options |
|---|---|---|
| AWSSSMParameterStore | Amazon Web Services Parameter Store. | - |
| AWSSecretsManager | Amazon Web Services Secrets Manager. | - |
| AzureKeyVault | Microsoft Azure Key Vault. | secret_vault |
| GCP | Google Secret Manager. | project_id |
| JSONFile | JSON file for secrets injection. | filename |
CredentialsManagerOptions
The CredentialsManagerOptions field contains configuration settings for your chosen credentials manager. Required settings vary by provider.
| Fields | Description |
|---|---|
| secret_vault | string (optional) Specifies the Azure Key Vault name. |
| project_id | string (optional) Specifies the Google Cloud project ID. |
| filename | string (optional) Specifies the credentials file location/name. |
# AWS Secrets Manager
RM_CREDENTIALS_MANAGER='{"provider": "AWSSecretsManager"}'
# AWS SSM Parameter Store
RM_CREDENTIALS_MANAGER='{"provider": "AWSSSMParameterStore"}'
# GCP Secret Manager
RM_CREDENTIALS_MANAGER='{"provider": "GCP", "options": {"project_id": "my-project-123"}}'
# Azure Key Vault
RM_CREDENTIALS_MANAGER='{"provider": "AzureKeyVault", "options": {"secret_vault": "my-vault-name"}}'
# Local JSON file
RM_CREDENTIALS_MANAGER='{"provider": "JSONFile", "options": {"filename": "/path/to/secrets.json"}}'
StorageManager Schema
The StorageManager configuration is optional. When provided, the Agent will upload access request and identifier retrieval results to the specified cloud storage bucket, keeping Personally Identifiable Information (PII) within your private network. DataGrail will then retrieve and process the files from your bucket. When StorageManager is not provided, the Agent will send the data back inline for immediate processing by DataGrail.
| Fields | Description |
|---|---|
| provider | enum(StorageManagerProvider) (required) The cloud storage manager provider. |
| options | object(StorageManagerOptions) (optional) Metadata about the storage manager. Required for some providers. |
StorageManagerProvider
The StorageManagerProvider field specifies which cloud storage manager provider the Agent connects to for secure upload of access request and identifier retrieval results.
| Provider | Description | Required Options |
|---|---|---|
| AWSS3 | string Amazon Web Services S3 | bucket |
| AzureBlob | string Microsoft Azure Blob | bucket, project_id |
| BackblazeB2 | string Backblaze B2 | bucket, endpoint, region |
| GCPCloudStore | string Google Cloud Storage | bucket, project_id |
StorageManagerOptions
The StorageManagerOptions field contains configuration settings for your chosen storage manager. Required settings vary by provider.
| Fields | |
|---|---|
| bucket | string (required) The name of the cloud storage bucket |
| project_id | string (optional) Required when using AzureBlob or GCPCloudStore to denote the project ID. |
| region | string (optional) Required when using BackblazeB2 to denote the region. |
| endpoint | string (optional) Required when using BackblazeB2 to denote the endpoint. |
# AWS S3
RM_STORAGE_MANAGER='{"provider": "AWSS3", "options": {"bucket": "my-results-bucket"}}'
# GCP Cloud Storage
RM_STORAGE_MANAGER='{"provider": "GCPCloudStore", "options": {"project_id": "my-project-123", "bucket": "my-results-bucket"}}'
# Azure Blob Storage
RM_STORAGE_MANAGER='{"provider": "AzureBlob", "options": {"project_id": "mystorageaccount", "bucket": "my-container"}}'
# Backblaze B2
RM_STORAGE_MANAGER='{"provider": "BackblazeB2", "options": {"bucket": "my-bucket", "region": "us-west-002", "endpoint": "https://s3.us-west-002.backblazeb2.com"}}'
Cloud Provider Credentials
Set these environment variables when role-based access controls are unavailable, such as in local development environments.
Use role-based access controls instead of long-lived credentials to avoid storing secrets in plain text.
Amazon Web Services
| Name | Description |
|---|---|
| AWS_ACCESS_KEY_ID | AWS access key associated with an IAM account. |
| AWS_SECRET_ACCESS_KEY | Secret key associated with the access key. This is essentially the "password" for the access key. |
| AWS_REGION | The AWS Region to send the request to. |
Google Cloud Platform
| Name | Description |
|---|---|
| GOOGLE_APPLICATION_CREDENTIALS_JSON | Extracted Google credentials file JSON. |
Microsoft Azure
| Name | Description |
|---|---|
| AZURE_TENANT_ID | The Azure Active Directory tenant (directory) ID. |
| AZURE_CLIENT_ID | The client (application) ID of an App Registration in the tenant. |
| AZURE_CLIENT_SECRET | The client secret for the App Registration. |
Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.