Create Storage Access#910
Merged
MiroCillik merged 17 commits intomainfrom Apr 29, 2026
Merged
Conversation
odinuv
reviewed
Apr 15, 2026
| ```python | ||
| import logging | ||
|
|
||
| logging.info(f"User {current_user} updated record {record_id} to status {new_status}") |
Member
There was a problem hiding this comment.
A ten log někde skončí nebo ho zahodíme? :)
U nás v eventech není vůbec nic?
Contributor
There was a problem hiding this comment.
Fixed. Renamed to "Track write operations" and clarified that: (1) write operations are automatically tracked by the Query Service for billing, and (2) logging.info() output goes to stdout, which is visible in the Terminal Log tab of the Data App.
Member
There was a problem hiding this comment.
(aside) tady by bylo nejlepsi dat example z te libky, kterou udelal/updatnul Soustruh.
A celkove bychom sem meli pridat "best-practices" prave s pouzitim tech libek.
Udelam to.
- Add links to Query Service API docs and recommended client library - Remove duplicate column-level permissions note (kept in Limitations) - Add error handling for workspace manifest reading - Fix Flask example: initialize client once at startup, add input validation - Rename 'parameterized queries' to 'validate and sanitize input' with allowlist examples - Replace OFFSET pagination with keyset (cursor-based) pagination - Add generic Python cache example alongside Streamlit-specific one - Clarify logging: mention stdout destination and Terminal Log tab - Make workspace ID reading consistent (always from manifest with error handling) - Remove WORKSPACE_ID env var (use manifest file consistently) - Add Storage Access page to site navigation Co-Authored-By: Zuzana Bednářová <zuzana.bednarova@keboola.com>
…ission list
- Rename Step 2 heading to "Configure Writable Tables" and renumber list (was 1,2,3,4,2,3)
- Use consistent permission ordering (SELECT, INSERT, UPDATE, DELETE, TRUNCATE) across the page
- Drop SELECT from the "Write capability" cell in the comparison table
- Remove unused kbcstorage dependency from both pyproject.toml snippets
- Remove unused pandas and jsonify imports from the Flask example
- Clarify that code examples are Python; same concepts apply to JavaScript
- Convert the truncation warning to {% include warning.html %} and soften the undo claim
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced Apr 22, 2026
…nv vars Previously the docs referenced a fictional package (keboola.query-service-client), a nonexistent class (QueryServiceClient), and a non-matching execute_query() signature (`workspace_id=`, `query=` returning a dict). The real SDK is keboola-query-service on PyPI with a Client class and execute_query(branch_id=, workspace_id=, statements=[...]) returning list[QueryResult] with .columns (Column objects) and .data attributes. Also replaces the KBC_WORKSPACE_MANIFEST_PATH manifest-file flow with the direct env vars the Data App runtime actually sets: BRANCH_ID, WORKSPACE_ID, QUERY_SERVICE_URL, KBC_TOKEN. The Data Integration summary on the Data Apps overview page is updated to match, with a pointer to the canonical env vars list in keboola/data-app-python-js. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…d note Adds a prominent warning callout at the top of the Writing Data Back section stating plainly that the Query Service does not support parameterized queries and the app is responsible for validating untrusted values. Pairs with a tip callout in Best Practices that points at the upcoming SQL escape helpers in the Python and JS SDKs. Addresses review feedback from PR #910 that the existing allowlist / type-coercion pattern is insufficient guidance on its own, especially for arbitrary string input. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Expand "Stick with Input Mapping when" from one bullet to three - Remove trailing space on Architecture Overview heading - Fix Step 1 numbering (double-space before list items) - Flask example: expand validation comment to explicitly name the allowlist + int() coercion as the reason the f-string is safe, and warn against adding new form fields without the same guard - Remove unused `from functools import lru_cache` in cache example Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Switches all code examples to read the workspace ID from the manifest file at KBC_WORKSPACE_MANIFEST_PATH (which contains workspaceId plus other workspace metadata) instead of the WORKSPACE_ID env var. This matches the recommended pattern from the Data App runtime — the env var is still set, but the manifest is the canonical source. - Adds KBC_WORKSPACE_MANIFEST_PATH row to the env vars table and notes WORKSPACE_ID is still available but manifest is preferred - Updates all four example snippets (Using the Client, env vars section example, Flask app, and Best Practices #1) to read the manifest with proper (KeyError, FileNotFoundError) error handling - Mentions KBC_WORKSPACE_MANIFEST_PATH in the Data Apps overview page env vars summary Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…table setup Adds a subsection under Step 2 showing the storage.output.tables shape that the platform writes when a writable table is added through the UI, so developers and agents can do the same via the Storage API directly. Documents the destination + unload_strategy: "direct-grant" marker that flags a table as exposed through Storage Access. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
odinuv
reviewed
Apr 28, 2026
| | Variable | Description | | ||
| | --- | --- | | ||
| | `KBC_WORKSPACE_MANIFEST_PATH` | Path to the workspace manifest JSON file. The file contains `workspaceId` (and other workspace metadata). **Recommended source for the workspace ID.** | | ||
| | `WORKSPACE_ID` | ID of the provisioned workspace for this app. Also available in the manifest file (above) — prefer reading the manifest in new code. | |
Member
There was a problem hiding this comment.
Jako tohle WORKSPACE_ID bych teda asi úplně vyhodil, nic to nepřínáší, zbytečná komplikace imho
Member
There was a problem hiding this comment.
Jo, myslel jsem, ze to bude fajn to mit jako ENV, ale jak rikas, ukazuje se, ze s tema ENVama jsou pak jen problemy :)
zubednarova
commented
Apr 29, 2026
…ake-only - Correct https://query.keboola.com/api-docs/ → https://query.keboola.com/api/v1/documentation - Add a prominent warning callout in the Overview that Storage Access currently supports only Snowflake-backed projects, BigQuery coming soon. The same constraint was already in the Limitations section but is easy to miss at the bottom of the page. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Switch to https://api.keboola.com/?service=query (the canonical service-discovery URL) instead of the previous query.keboola.com path. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Jira issue(s): PROOF-XXX
https://linear.app/keboola/issue/AJDA-2521/dokumentace-k-direct-access
Changes:
data-apps/storage-access/index.md)_data/navigation.ymldata-apps/index.md— Data Integration bullet now lists the real Data App env vars and links to the canonical list inkeboola/data-app-python-jsThe page covers:
BRANCH_ID,WORKSPACE_ID,QUERY_SERVICE_URL,KBC_TOKEN)Updates since the initial review (addressing @odinuv's comments):
st.cache_dataLatest updates (2026-04-22 – 2026-04-23):
keboola.query-service-client), class (QueryServiceClient), andexecute_query(workspace_id=, query=)signature. Replaced with the realkeboola-query-servicepackage (PyPI package name uses dashes; imported askeboola_query_serviceper standard Python naming),Clientclass, andexecute_query(branch_id=, workspace_id=, statements=[...])returninglist[QueryResult]with.columns(Column objects) /.data/.rows_affectedattributes.BRANCH_ID,WORKSPACE_ID,QUERY_SERVICE_URL,KBC_TOKEN. The earlier "manifest.json / workspaceId" approach that appeared in previous drafts is no longer in the file. Updated the Data Integration summary ondata-apps/index.mdto match, with a link to the canonical env-vars list in keboola/data-app-python-js.SQL.literal()/sql.format()helpers being developed in keboola/query-service-api-python-sdk#8 and keboola/query-service-api-js-sdk#3. The current allowlist / type-coercion pattern is positioned as the recommended interim approach until those SDKs ship.UPDATEf-string now explicitly namesint()coercion and theALLOWED_STATUSESallowlist as the only reason the string interpolation is safe, with a warning not to add new form fields without analogous validation.Architecture Overviewheading, normalized Step 1 list spacing, replaced the stubby single-bullet "Stick with Input Mapping when" list with three concrete cases, removed the unusedfrom functools import lru_cachein the cache example.Human review checklist:
PROOF-XXXabove with the real PROOF ticket numberQUERY_SERVICE_URL/WORKSPACE_ID/BRANCH_IDare the exact env var names set by the Data App runtime when Storage Access is enabledKBC_TOKENis the right token for Query Service calls from a Data App with Storage Access (the data-app-python-js README listsKBC_TOKENas "Only with Data Loader" — clarify whether Storage Access apps receive it through the same env var)Link to Devin session: https://app.devin.ai/sessions/736de691ac2745488c7bcae1df0a850c
Requested by: @zubednarova