Configure environment variables - Weights & Biases Documentation

In addition to configuring instance-level settings through the System Settings admin UI, W&B also provides a way to configure these values in code using environment variables. This page lists the environment variables you can set to control database, storage, Redis, identity provider, and other instance-level behavior for a self-managed W&B Server deployment. You can use these variables to manage configuration as code instead of through the admin UI. For IAM-specific variables, see advanced configuration for IAM.

Environment variable reference

The following table describes each environment variable, the behavior it controls, and any constraints on its value.

Environment variable	Description
`LICENSE`	Your wandb/local license
`MYSQL`	The MySQL connection string
`BUCKET`	The S3 / GCS bucket for storing data
`BUCKET_QUEUE`	The SQS / Google PubSub queue for object creation events
`NOTIFICATIONS_QUEUE`	The SQS queue on which to publish run events
`AWS_REGION`	The AWS Region where your bucket lives
`HOST`	The FQD of your instance, for example `https://my.domain.net`
`OIDC_ISSUER`	A URL to your Open ID Connect identity provider, for example `https://cognito-idp.us-east-1.amazonaws.com/us-east-1_uiIFNdacd`
`OIDC_CLIENT_ID`	The Client ID of application in your identity provider
`OIDC_AUTH_METHOD`	Implicit (default) or pkce. For more context, see the following sections.
`SLACK_CLIENT_ID`	The client ID of the Slack application you want to use for alerts
`SLACK_SECRET`	The secret of the Slack application you want to use for alerts
`LOCAL_RESTORE`	If you can’t access your instance, you can temporarily set this to true. Check the logs from the container for temporary credentials.
`REDIS`	Can be used to set up an external REDIS instance with W&B.
`LOGGING_ENABLED`	When set to true, access logs are streamed to stdout. You can also mount a sidecar container and tail `/var/log/gorilla.log` without setting this variable.
`GORILLA_ALLOW_USER_TEAM_CREATION`	When set to true, lets non-admin users create a new team. False by default.
`GORILLA_CUSTOMER_SECRET_STORE_SOURCE`	Sets the secret manager for storing team secrets used by W&B Weave. These secret managers are supported: Internal secret manager (default): `k8s-secretmanager://wandb-secret` AWS Secret Manager: `aws-secretmanager` Google Cloud Secret Manager: `gcp-secretmanager` Azure: `az-secretmanger`
`GORILLA_DATA_RETENTION_PERIOD`	How long to retain deleted data from runs in hours. Deleted run data is unrecoverable. Append an `h` to the input value. For example, `"24h"`.
`GORILLA_DISABLE_PERSONAL_ENTITY`	When set to true, turns off personal entities. Prevents creation of new personal projects in their personal entities and prevents writing to existing personal projects.
`GORILLA_GRAPHQL_DISABLE_INTROSPECTION`	When set to true, disables GraphQL introspection: `__type` and `__schema` queries return no schema data while the request still succeeds. On Self-Managed, setting the Gorilla configuration field `graphql-disable-introspection` has the same effect. Set this variable under `spec.values.global.extraEnv` in your `WeightsAndBiases` custom resource (see the `global.extraEnv` example in the Operator guide). Client applications require W&B SDK v0.26.0 or later against deployments with introspection already turned off.
`GRAPHQL_REJECT_UNAUTHED_REQUESTS`	When set to `true` on the API service, rejects GraphQL requests that don’t have an authenticated user. Unauthenticated requests receive HTTP 401. Self-Managed and Dedicated Cloud v0.80.0+ only; not available on Multi-tenant Cloud. This feature is opt-in: if the environment variable is unset or not `true`, behavior is unchanged. Set on the API component only (for example, `api.env` in Helm values). Before activating, confirm that workflows that rely on anonymous GraphQL access (such as viewing shared reports without signing in, or open projects) still meet your requirements. On Self-Managed, setting the Gorilla configuration field `graphql-reject-unauthed-requests` to `true` has the same effect.
`GORILLA_ARTIFACT_GC_ENABLED`	When set to true, enables garbage collection for deleted artifacts. Required for self-managed deployments. See Delete an artifact for more information.
`WANDB_ARTIFACT_DIR`	Where to store all downloaded artifacts. If unset, defaults to the `artifacts` directory relative to your training script. Make sure this directory exists and the running user has permission to write to it. This does not control the location of generated metadata files, which you can set using the `WANDB_DIR` environment variable.
`WANDB_DATA_DIR`	Where to upload staging artifacts. The default location depends on your platform, because it uses the value of `user_data_dir` from the `platformdirs` Python package. Make sure this directory exists and the running user has permission to write to it.
`WANDB_DIR`	Where to store all generated files. If unset, defaults to the `wandb` directory relative to your training script. Make sure this directory exists and the running user has permission to write to it. This does not control the location of downloaded artifacts, which you can set using the `WANDB_ARTIFACT_DIR` environment variable.
`WANDB_IDENTITY_TOKEN_FILE`	For identity federation, the absolute path to the local directory where Java Web Tokens (JWTs) are stored.

Use the GORILLA_DATA_RETENTION_PERIOD environment variable cautiously. It applies to deleted run data (including run-associated files such as media after deletion flows). It does not delete artifacts; use artifact deletion and GORILLA_ARTIFACT_GC_ENABLED as described in Delete an artifact. For how deleting runs and files relates to storage and this setting, see When deleted run data is removed from storage in Delete runs. Data is removed according to the retention window once the variable is set. Back up both the database and the storage bucket before you enable or change this value. Background removal of objects from your bucket is approximate and not guaranteed to finish within a specific time. For expectations, troubleshooting, and how this relates to storage costs, see Manage bucket storage and costs.
To enable GRAPHQL_REJECT_UNAUTHED_REQUESTS with the Kubernetes Operator, set it on the API component only:
```
api:
env:
    GRAPHQL_REJECT_UNAUTHED_REQUESTS: "true"
```
Apply your changes and wait for the API pods to roll out before you verify the setting. You can disable the behavior by removing the variable or setting it to another value.

Advanced reliability settings

The following section describes optional configuration you can apply to improve the reliability and performance of your W&B Server deployment.

Redis

An external Redis server is optional but recommended for production systems. Redis helps improve the reliability of the service and enables caching to decrease load times, especially in large projects. Use a managed Redis service such as ElastiCache with high availability (HA) and the following specifications:

Minimum 4 GB of memory, suggested 8 GB
Redis version 6.x
In transit encryption
Authentication enabled

To configure the Redis instance with W&B, go to the W&B settings page at http(s)://YOUR-W&B-SERVER-HOST/system-admin. Enable the Use an external Redis instance option, and fill in the Redis connection string in the following format:

You can also configure Redis using the environment variable REDIS on the container or in your Kubernetes deployment. Alternatively, you can set up REDIS as a Kubernetes secret. This page assumes the Redis instance is running at the default port of 6379. If you configure a different port, set up authentication, and want TLS enabled on the redis instance, the connection string format is: redis://$USER:$PASSWORD@$HOST:$PORT?tls=true

​Environment variable reference

​Advanced reliability settings

​Redis

Environment variable reference

Advanced reliability settings

Redis