Environment Variables
Main configuration
Name | Description |
DEKART_MAPBOX_TOKEN | Mapbox Token to show a map |
DEKART_POSTGRES_DB | Database name. Dekart needs Postgres Database to store query meta information. Alternatively SQLite can be used, see bellow. Example: dekart |
DEKART_POSTGRES_HOST | Example: localhost |
DEKART_POSTGRES_PORT | Example: 5432 |
DEKART_POSTGRES_USER | Example: postgres |
DEKART_PORT | Example: 8080 |
DEKART_POSTGRES_URL version >= 0.13 | Alternatively to specify DEKART_POSTGRES_DB , DEKART_POSTGRES_HOST , DEKART_POSTGRES_PORT , DEKART_POSTGRES_USER , DEKART_POSTGRES_PASSWORD , configure PostgreSQL by passing the connection string. If both specified DEKART_POSTGRES_URL is used.Example: postgres://user:pass@hostname:5432/dekart?sslmode=verify-full |
DEKART_DATASOURCE=BQ version >= 0.8 | Which datasource to use: Values
DEKART_STORAGE=GCS version >= 0.8 | Which storage backend to use for storing queries and query results Values
DEKART_CLOUD_STORAGE_BUCKET | Google Cloud Storage or AWS S3 bucket name where Dekart Query results will be stored. Example: dekart-bucket If value is empty, users will be able to define storage bucket via UI. Supported datasource DEKART_DATASOURCE :
DEKART_CORS_ORIGIN= version >= 0.10 | CORS Origin to be allowed by Dekart backend and set in Access-Control-Allow-Origin header. If not set or set incorrectly, warning will appear in logs. If set incorrectly.Example: https://dekart.example.com |
DEKART_SQLITE_DB_PATH= premium >= 0.17.2 version >= 0.18 | Dekart will use SQLite database instead of Postgres to store query meta information. Example: ./dekart.db |
DEKART_STREAM_TIMEOUT version >= 0.18 | Timeout in seconds for streaming backend updates. Default value is 50 seconds. Useful when your Gateway has a shorter timeout and you see Gateway Timeout errors. Example: 50 |
Data Encryption
version >= 0.18
Dekart supports data encryption at rest for storing credentials. Required for configuring Snowflake and BigQuery JSON Key via UX. To enable data encryption, set the following environment variables:
Name | Description |
DEKART_DATA_ENCRYPTION_KEY | Google Secret Manager key to encrypt sensitive data. Example: projects/121212121212/secrets/dekart-data-encoding-key/versions/1 |
Steps to Generate & Set the Key:
Generate a Secure 256‐Bit Key Use a command like:
openssl rand -base64 32
This produces a base64‐encoded, 32‐byte key.
Add key to Google Secret Manager
Set the Environment Variable:
Dekart support started AWS SDK environment variables. Required to query AWS Athena and use AWS S3.
Name | Description |
AWS_REGION version >= 0.8 | The AWS SDK compatible environment variable that specifies the AWS Region to send the request to |
AWS_ACCESS_KEY_ID version >= 0.8 | Specifies an AWS access key associated with an IAM user or role. |
AWS_SECRET_ACCESS_KEY version >= 0.8 | Specifies the secret key associated with the access key. This is essentially the “password” for the access key. |
AWS Athena
Name | Description |
DEKART_ATHENA_CATALOG version >= 0.8 | Data source (group of databases) for AWS Athena to reference when executing queries. Default value is usually AwsDataCatalog .Example: my-athena-catalog |
DEKART_ATHENA_S3_OUTPUT_LOCATION and then copied to DEKART_CLOUD_STORAGE_BUCKET .Example: athena-results | |
DEKART_ATHENA_S3_OUTPUT_LOCATION version >= 0.8 | Amazon S3 query result location required by Athena SDK. This is different from DEKART_CLOUD_STORAGE_BUCKET . First query results are stored in DEKART_ATHENA_S3_OUTPUT_LOCATION and then copied to DEKART_CLOUD_STORAGE_BUCKET .Example: athena-results |
DEKART_ATHENA_WORKGROUP version >= 0.13 | AWS Athena workgroup to use when executing Athena queries. If not specified, the default primary workgroup will be used.Example: my-athena-workgroup |
Google Cloud
Required to query BigQuery and use Cloud Storage
Name | Description |
GOOGLE_APPLICATION_CREDENTIALS | Credentials for Google Cloud API Example: /.../service-account-123456.json |
Name | Description |
DEKART_BIGQUERY_PROJECT_ID | Unique identifier for your Google Cloud project with BigQuery API Enabled. Example: my-project version >= 0.15 If value is empty, users will be able to define project ID via UI. |
DEKART_BIGQUERY_MAX_BYTES_BILLED version >= 0.7 | Sets maximumBytesBilled in BigQuery Job Configuration to implement Best Practices for Controlling Query Cost.If not set warning message will appear in logs. |
DEKART_GCP_EXTRA_OAUTH_SCOPES version >= 0.14 OAuth token support from version >= 0.18 | Set additional scopes for the GCP OAuth token when connecting to BigQuery. The value is interpreted as a comma-delimited list. E.g., in order to query a BigQuery table backed by a Google Sheet in Google Drive, the value needs to be set to https://www.googleapis.com/auth/drive . |
Name | Description |
DEKART_SNOWFLAKE_ACCOUNT_ID version >= 0.12 | Snowflake Account Identifier Example: orgname-account_name |
DEKART_SNOWFLAKE_USER version >= 0.12 | Snowflake user with default warehouse configured Example: example_user |
DEKART_SNOWFLAKE_PASSWORD version >= 0.12 | Snowflake user password Example: ****** |
DEKART_SNOWFLAKE_STAGE premium >= 0.17.2 version >= 0.18.1 | Persist Dekart application state on Snowflake stage. Work with DEKART_SQLITE_DB_PATH Example: app_public.app_state_stage |
DEKART_REQUIRE_SNOWFLAKE_CONTEXT= premium >= 0.17.2 version >= 0.18.1 | Authorize user using Sf-Context-Current-User header. Used in Snowpark environment.Example: 1 |
Postgres (as a data source)
Postgres can be used as a data source for Dekart. Do not confuse with Dekart’s Postgres database, which is used to store query meta information.
Name | Description |
DEKART_POSTGRES_DATASOURCE_CONNECTION version >= 0.16 | Postgres DB to be used as data source Example: postgres://user:password@host:port/db |
version >= 0.18
ClickHouse can be used as a data source for Dekart.
Name | Description |
DEKART_CLICKHOUSE_DATA_CONNECTION version >= 0.18 | ClickHouse connection string in DSN format. Example: clickhouse://user:password@host:port/database |
DEKART_CLICKHOUSE_S3_OUTPUT_LOCATION version >= 0.18 | S3 bucket path where query results are stored. Example: bucket-name/optional-prefix |
File upload
Starting from version 0.10 Dekart supports file upload. File upload is disabled by default. Once uploaded files are stored in the same storage as query results. Both AWS S3 and Google Cloud Storage are supported. The recommended max file size is 100MB.
Name | Description |
DEKART_ALLOW_FILE_UPLOAD version >= 0.10 | Enable file upload Example value: 1 |
User authorization via Google OAuth 2.0 flow
Dekart can authorize users via Google OAuth 2.0 and use users’ credentials to access BigQuery and Cloud Storage. When this option is enabled, Dekart does not require a service account and GOOGLE_APPLICATION_CREDENTIALS
to be set. The user token is retrieved from Google OAuth 2.0 flow and stored in only in the browser memory. When the page is refreshed, the token is retrieved again. User short-lived token is then passed via Authorization header Dekart backend to access BigQuery and Cloud Storage.
No token is stored in the Dekart backend, database, or logs.
Each user needs to have access to BigQuery and Cloud Storage with following permissions:
- BigQuery Data Viewer
- BigQuery Job User
- BigQuery Read Session User
- Storage Object User
This option is only supported for BigQuery and Cloud Storage. It is not supported for AWS and Snowflake Data Sources.
Name | Description |
DEKART_REQUIRE_GOOGLE_OAUTH version >= 0.15 | Enables Google OAuth 2.0 flow. Requires users to be authenticated. Example value: 1 |
DEKART_GOOGLE_OAUTH_CLIENT_ID version >= 0.15 | Google OAuth 2.0 Client ID. Example value: 1234567890-abcde.apps.googleusercontent.com |
DEKART_GOOGLE_OAUTH_SECRET version >= 0.15 | Google OAuth 2.0 Client Secret. Example value: ****** |
Creating Google OAuth 2.0 Client ID and Client Secret:
- Configure OAuth Consent Screen in your Google Cloud Project
- Create OAuth 2.0 Client ID with
Web application
type - Add
toAuthorized redirect URIs
User authorization via Google IAP
Dekart can read claims provided by Google IAP and authorize users to:
- list and edit only their own reports
- read-only access to other users reports
Name | Description |
DEKART_REQUIRE_IAP | Enables validation Google IAP JWT. Required users to be authenticated. ENables user management policies. Example value: 1 |
DEKART_IAP_JWT_AUD | Signed Header JWT Audience (aud ). You can get the values for the aud string mentioned above by accessing the Cloud Console, or you can use the gcloud command-line tool. See details.Example value: /projects/PROJECT_NUMBER/apps/PROJECT_ID |
User authorization via Amazon Load Balancer
Dekart can read claims provided by Amazon Load Balancer and authorize users to:
- list and edit only their reports
- read-only access to other user’s reports
Amazon Load Balancer configuration example with Terraform
Name | Description |
DEKART_REQUIRE_AMAZON_OIDC | Enables users authorization. Requires users to be authenticated and x-amzn-oidc-data to be passed from Load Balancer. Requires AWS_REGION .Example value: 1 |
version >= 0.18
Dekart supports multiple workspaces. Each workspace can have its own set of reports, queries, and users. By default, all users are added to the Default
workspace. To configure workspace management, set the following environment variables:
Name | Description |
DEKART_ALLOW_WORKSPACE_CREATION version >= 0.18 | When set to 1 , users can create new workspaces. Set to empty, new users will be automatically added to the Default workspace.Example value: 1 |
DEKART_DEFAULT_WORKSPACE_ADMIN version >= 0.18 | Email that designates a default admin for the Default workspace. When not provided, all new users will be Admin. When provided, all users will be viewers, unless specified differently with DEKART_DEFAULT_WORKSPACE_ROLE .Example value: admin@email.com |
DEKART_DEFAULT_WORKSPACE_ROLE version >= 0.18 | Role assigned by default to new users (e.g., viewer , editor , admin ). Requires DEKART_DEFAULT_WORKSPACE_ADMIN to be specified.Example value: viewer |
User Experience
Name | Description |
DEKART_UX_HOMEPAGE | Change URL linked from Dekart logo Default value: / |
DEKART_UX_DATA_DOCUMENTATION | Allows provide URL to dataset documentation. It will appear in Dekart UI. Example value: https://my.company/dataset/schema.html |
DEKART_HTML_CUSTOM_CODE | Allows to add custom HTML code to <head> . Can be used for adding trackers. |
DEKART_DISABLE_USAGE_STATS version >= 0.11 | By default, Dekart appends certain information to the referrer of external links. This information includes the version number, the SHA256 hash of the hostname, the name of the data source, and the total number of reports, queries, files, and authors. No other information is collected. The source code for this implementation can be found here. This behavior can be turned off by setting this variable to 1 . |
DEKART_UX_ACCESS_ERROR_INFO_HTML version >= 0.16 | Allows to provide custom HTML code to be shown on the access error page. |
DEKART_UX_NOT_FOUND_ERROR_INFO_HTML version >= 0.16 | Allows to provide custom HTML code to be shown on the not found error page. |
DEKART_UX_SAMPLE_QUERY_SQL version >= 0.16 | Allows to provide a sample SQL query to be shown in the query editor. |
Development specific
Do not change for production
Name | Description |
DEKART_LOG_DEBUG | Set Dekart log level to debug Example value: 1 |
DEKART_LOG_PRETTY | Print pretty colorful logs in console. By default Dekart formats logs as JSON Example value: 1 |
DEKART_STATIC_FILES | Example value: ./build |
DEKART_DEV_QUERY_CACHE_DEADLINE version >= 0.18 | Set the cache deadline for queries in development mode. This is useful when debug BigQuery or Snowflake cache expiration Example: 1m |