OpenAI Connection¶
The OpenAI connection type enables access to OpenAI APIs.
Default Connection IDs¶
OpenAI hook points to openai_default connection by default.
Configuring the Connection¶
- API Key (required)
Specify your OpenAI API Key to connect.
- Host (optional)
The host address of the OpenAI instance.
- Extra (optional)
Specify the extra parameters (as json dictionary) that can be used in the connection. All parameters are optional. This
extrafield accepts a nested dictionary with keyopenai_client_kwargsas key-value pairs that are passed to the OpenAI client on instantiation. For example, to set the timeout for the client, you can pass the following dictionary as theextrafield:{ "openai_client_kwargs": { "timeout": 10, "api_key": "YOUR_API_KEY" } }
Authentication¶
The authentication mechanism is selected with the auth_type key in the extra field. It
defaults to "api_key", which uses the API key from the connection password (backward compatible
with existing connections).
Set auth_type to "workload_identity" to authenticate with short-lived identity tokens
instead of a long-lived API key. This exchanges a token minted by your environment’s identity
provider, so no API key is stored in the connection. identity_provider_id and
service_account_id are always required, and the token source is chosen with
workload_identity_provider:
"kubernetes"– a Kubernetes service account token read fromtoken_file_path(defaults to the in-cluster path/var/run/secrets/kubernetes.io/serviceaccount/token)."azure"– an Azure managed identity. Optional keys:resource,client_id,object_id,msi_res_id,api_version."gcp"– a Google Cloud ID token for the givenaudience."custom"– importtoken_provider(a dotted path to aCallable[[], str]) and use it as the token source. The callable is imported and invoked in the process that runs the hook, so point it only at trusted code. Optionaltoken_type("jwt"or"id", defaults to"jwt");token_typeapplies only to thecustomsource.
The optional refresh_buffer_seconds controls how long before expiry the token is refreshed.
For example, to authenticate from a Kubernetes pod:
{
"auth_type": "workload_identity",
"workload_identity_provider": "kubernetes",
"identity_provider_id": "idp-123",
"service_account_id": "sa-456"
}