The objects available within our connector are accessible from the "cdata.alloydb" module. To use the module's objects directly:

1. Import the module as follows:
   

   import cdata.alloydb as mod

2. To establish a connection string, call the connect() method from the connector object using an appropriate connection string, such as:
   

   mod.connect("User=alloydb;Password=admin;Database=alloydb;Server=127.0.0.1;Port=5432")

Connecting to AlloyDB

To connect to AlloyDB, set these properties:

• Server: The host name or IP of the server hosting the AlloyDB database.
• Port (optional): The port of the server hosting the AlloyDB database. This property is set to 5432 by default.
• User: The user which will be used to authenticate with the AlloyDB server.
• Password: The password which will be used to authenticate with the AlloyDB server.
• Database (optional): The database to connect to when connecting to the AlloyDB Server. If this is not set, the user's default database will be used.

Authenticating to AlloyDB

AlloyDB supports authentication through the following methods:

• Standard
• pg_hba.conf
  • MD5
  • SASL
• Kerberos
• OAuthJWT

Standard Authentication

Standard authentication (using the user/password combination supplied earlier) is the default form of authentication.

No further action is required to leverage Standard Authentication to connect.

pg_hba.conf Auth Schemes

There are additional methods of authentication supported by the connector which must be enabled in the pg_hba.conf file on the AlloyDB server.

You can find instructions about authentication setup on the AlloyDB Server here.

MD5

You can authenticate using MD5 password verification by setting the auth-method in the pg_hba.conf file to md5.

SASL

The connector can authenticate by verifying the password with SASL (particularly, SCRAM-SHA-256).

To use this authentication method, set the auth-method in the pg_hba.conf file to scram-sha-256.

Kerberos

The authentication with Kerberos is initiated by AlloyDB Server when the CData Python Connector for AlloyDB is trying to connect to it. Set up Kerberos on the AlloyDB Server to activate this authentication method. Once you have Kerberos authentication set up on the AlloyDB server, see Using Kerberos for details regarding how to authenticate with Kerberos by the connector.

OAuthJWT

This authentication method allows a Google Cloud service account to authenticate with AlloyDB using a JSON key file.

Prerequisite

Before configuring this authentication method, ensure that you have a Google Cloud service account. You must also generate and download a new key file (JSON-formatted) for that service account.

To obtain this file in the Google Cloud console:

1. Go to IAM & Admin > Service accounts. If you do not have an account already, you must create one (see detailed instructions here.)
2. Click on the email address of your service account (for example, [email protected]).
3. Go to the Keys tab.
4. Select Add Key > Create new key.
5. Select JSON as the key type. Then, click Create.

Note: Once the file for the key is downloaded, it cannot be redownloaded due to security reasons. However, you can generate additional keys as needed.

Authenticate to AlloyDB with OAuthJWT

1. Using IAM administrator tools (IAM & Admin > IAM), grant the new or existing service account the alloydb.databaseUser and serviceusage.serviceUsageConsumer roles.
2. Add that service account to a cluster (see detailed instructions here.)
3. Set the required connection properties:
   • AuthScheme: OAuthJWT.
   • OAuthJWTCertType: GOOGLEJSON.
   • OAuthJWTCert: The path to the service account key file you downloaded (for example, C:\keys\my-gcp-project-service-account.json).
   • User: The service account's address without the .gserviceaccount.com suffix (for example, [email protected]).