Environments
An environment is the context in which your app will be running. It includes the secrets that the app uses to connect to datasets, and the Iceberg catalogs it uses to access Iceberg tables. In Tower, you will always have at least one environment called default. As your data platform grows, you will potentially add environments for integration testing, for production etc.
The default environment
The default environment is special, because its secrets and catalogs are inherited by all other environments. You can override the values specified in the default environment in other environments by creating a secret or catalog with the same name.
Secrets
Database passwords, S3 bucket locations, and encryption keys are all examples of secrets that you might want to inject into your apps running either locally or in the Tower cloud at runtime.
Tower provides a secure secrets management system that ensures that your secrets are not only available where you need them, but they're available in a secure way, too. You can learn more about our standard security practices in the architecture section.
Secrets can be thought of as name-value pairs.
Secrets in the default environment
When you create a secret with the tower secrets create command and don't specify an environment, the secret will be created in the default environment. The secret and its value will be available in all your environments, unless you override it.
tower secrets create --name=snowflake_url \
--value=https://abc123.snowflake.com
✔ Creating secret... Done!
Success! Secret "snowflake_url" was created
Use the tower secrets list command to determine which secrets you have configured. If you don't specify the environment, it will show you only the secrets in the default environment.
tower secrets list
Secret Environment Preview
----------------------------------------
s3_bucket default XXXXXXcket
snowflake_url default XXXXXX.com
Secrets in other environments
Sometimes you will want to use different secret values for different environments that you run you apps in. For example, imagine you have an app that reads data from S3 and writes it to a Snowflake database. It's likely that you use a different Snowflake database in development, staging, and production environments. Therefore, you would want to have the same secret name (e.g. snowflake_url) in all your environments, but use different secret values depending on the environment.
To create a secret in an environment different from default, use the --environment parameter.
tower secrets create --name=snowflake_url \
--value=https://abc123-prod.snowflake.com \
--environment=production
✔ Creating secret... Done!
Success! Secret "snowflake_url" was created
When you run both of these commands, you will have a secret with key snowflake_url in both the default and the production environments, but with different values.
Use the --environment parameter with the tower secrets list command to show what secrets will be used in a given environment.
tower secrets list --environment=production
Secret Environment Preview
----------------------------------------
s3_bucket default XXXXXXcket
snowflake_url production XXXXXX.com
Use the -a parameter to list all secrets in all environments.
tower secrets list -a
Secret Environment Preview
----------------------------------------
s3_bucket default XXXXXXcket
snowflake_url default XXXXXX.com
snowflake_url production XXXXXX.com
Managing secrets in the Tower UI
You can use the Tower UI to create, list and delete secrets.
Navigate to (> Secrets ) and click on "Create New Secret". You can add a secret to the default environment or select "+New Environment" in the drop-down and type in e.g. production.
You can later delete secrets from the secrets list.
Catalogs��
Apache Iceberg catalogs simplify the use of Iceberg tables inside Tower apps.
Catalogs are defined per each Tower environment. As with secrets, catalogs defined in the default environment are inherited by all other environments.
Creating catalogs
To create a catalog, use the Tower UI.
When creating a catalog in Tower, specify its slug, and the 4 properties that Tower (and the pyiceberg library that Tower uses internally) need to know to connect to the catalog service: URI, Credential, Scope, and Warehouse. You can get these values during the set-up of the catalog service.
Set the catalog slug to the catalog identifier that you are planning to use inside your Tower app, e.g. 'mycatalog'. Pyiceberg calls this identifier the catalog name.
If you set the slug to the string default, you won't need to explicitely specify the catalog identifier in your code.
Using catalogs
To work with Iceberg tables inside your Tower apps you should use the Tower tables SDK. Tower tables use the pyiceberg library internally. You can use pyiceberg to access Iceberg tables directly, but the tables SDK will typically be simpler to use, as it automatically loads all catalogs defined in the environment the app is running in.
import pyarrow as pa
import tower
SCHEMA = pa.schema([...])
mytable = tower.tables('mytable', catalog='mycatalog').create_if_not_exists(SCHEMA)
In the above example, when checking for the existance of the table, Tower will look in its metadata for the catalog that has the slug 'mycatalog'.
When you set the slug of your catalog to 'default', the catalog identifier can be dropped and the above example can be simplified to:
import pyarrow as pa
import tower
SCHEMA = pa.schema([...])
mytable = tower.tables('mytable').create_if_not_exists(SCHEMA)
When using pyiceberg to access Iceberg tables, do something like this.
import pyarrow as pa
from pyiceberg.catalog import load_catalog
SCHEMA = pa.schema([...])
mycatalog = load_catalog('mycatalog')
mytable = mycatalog.create_table_if_not_exists('mytable', SCHEMA)
Supported catalog types
Tower currently supports Apache Polaris and Snowflake Open Catalog. More catalog types will be supported over time.
Advanced use cases
Programmatically determining the environment
Sometimes users need to programmatically determine which environment the app is running in, e.g. to use different data source types (DuckDB vs Snowflake) depending on the environment. Tower allows you to retrieve the environment your code is running in through the special TOWER_ENVIRONMENT environment variable. Review this section to understand how to use this environment variable.