Use environment variables for model providers

langchain guide advanced configuration ide models deployment workflows
no

Original Documentation

Documentation Index#

Fetch the complete documentation index at: https://docs.langchain.com/llms.txt Use this file to discover all available pages before exploring further.

This feature is only available on Helm chart versions 0.10.27 (application version 0.10.74) and later.

Many model providers support setting credentials and other configuration options through environment variables. This is useful for self-hosted deployments where you want to avoid hardcoding sensitive information in your code or configuration files. In LangSmith, most model interactions are done through the playground service, which allows you to configure many of those environment variables directly on the pod itself. This can be useful to avoid having to set credentials in the UI.

Requirements#

  • A self-hosted LangSmith instance with the playground service running.
  • The provider you want to configure must support environment variables for configuration. Check the provider’s Chat Model documentation for more information.
  • The secrets/roles you may want to attach to the playground service.
    • Note that for IRSA you may need to grant the langsmith-playground service account the necessary permissions to access the secrets or roles in your cloud provider.

Configuration#

With the parameters from above, you can configure your LangSmith instance to use environment variables for model providers. You can do this by modifying the langsmith_config.yaml file for your LangSmith Helm Chart installation or the docker-compose.yaml file for your Docker installation.

playground:
  deployment:
    extraEnv:
      - name: OPENAI_BASE_URL
        value: https://<my_proxy_url>
      - name: OPENAI_API_KEY
        valueFrom:
          secretKeyRef:
            name: <your_secret_name>
            key: api_key
  serviceAccount: # Can be useful if you want to use IRSA or workload identity
    annotations:
      eks.amazonaws.com/role-arn: <your_role_arn>
# In your docker-compose.yaml file
langchain-playground:
  environment:
    .. # Other environment variables
    - OPENAI_BASE_URL=https://<my_proxy_url>
    - OPENAI_API_KEY=<your_key> # This will be set in the .env file

VertexAI configuration#

You can configure VertexAI credentials for the playground service using either environment variables with secrets or workload identity (GCP Workload Identity for GKE or AWS IRSA for EKS).

Using secrets#

Configure VertexAI credentials using Kubernetes secrets:

playground:
  deployment:
    extraEnv:
      # Playground-specific secret (recommended)
      - name: GOOGLE_VERTEX_AI_WEB_CREDENTIALS
        valueFrom:
          secretKeyRef:
            name: gcp-vertexai-secret
            key: credentials_json  # Your full service account JSON as string
      # Standard fallback option
      - name: GOOGLE_APPLICATION_CREDENTIALS
        value: /secrets/gcp-key.json
      # Optional: Set project/location if not in model config
      - name: GOOGLE_CLOUD_PROJECT
        value: "your-gcp-project-id"
      - name: VERTEXAI_PROJECT_ID
        value: "your-gcp-project-id"
      - name: VERTEXAI_LOCATION
        value: "us-central1"
    extraVolumeMounts:
      - name: gcp-secret-volume
        mountPath: /secrets
        readOnly: true
    extraVolumes:
      - name: gcp-secret-volume
        secret:
          secretName: gcp-key-json  # JSON file secret
          defaultMode: 0444
# In your docker-compose.yaml file
langchain-playground:
  environment:
    .. # Other environment variables
    - GOOGLE_VERTEX_AI_WEB_CREDENTIALS=<your_service_account_json>  # Full JSON as string
    # Or use file path
    - GOOGLE_APPLICATION_CREDENTIALS=/secrets/gcp-key.json
    - GOOGLE_CLOUD_PROJECT=your-gcp-project-id
    - VERTEXAI_PROJECT_ID=your-gcp-project-id
    - VERTEXAI_LOCATION=us-central1
  volumes:
    - ./gcp-key.json:/secrets/gcp-key.json:ro

Using workload identity#

You can configure the playground service account to use workload identity to assume a GCP service account role without storing credentials. This is the recommended approach for GKE clusters.

GCP Workload Identity (GKE)#

For GKE clusters, use GCP Workload Identity:

playground:
  deployment:
    extraEnv:
      # Optional: Set project/location if not in model config
      - name: GOOGLE_CLOUD_PROJECT
        value: "your-gcp-project-id"
      - name: VERTEXAI_PROJECT_ID
        value: "your-gcp-project-id"
      - name: VERTEXAI_LOCATION
        value: "us-central1"
    # No credentials needed - pod assumes GCP SA role via annotation
  serviceAccount:
    create: true  # Enable if not exists
    annotations:
      iam.gke.io/gcp-service-account: "vertexai-sa@your-gcp-project.iam.gserviceaccount.com"

When using GCP Workload Identity, ensure the GCP service account has the required VertexAI permissions (e.g., roles/aiplatform.user).

AWS IRSA (EKS)#

For EKS clusters, you can use AWS IRSA to assume a GCP service account role:

playground:
  deployment:
    extraEnv:
      # Optional: Set project/location if not in model config
      - name: GOOGLE_CLOUD_PROJECT
        value: "your-gcp-project-id"
      - name: VERTEXAI_PROJECT_ID
        value: "your-gcp-project-id"
      - name: VERTEXAI_LOCATION
        value: "us-central1"
    # No credentials needed - pod assumes GCP SA role via AWS IAM role
  serviceAccount:
    create: true  # Enable if not exists
    annotations:
      eks.amazonaws.com/role-arn: arn:aws:iam::<account>:role/LangSmith-VertexAI-Role

When using AWS IRSA, ensure your AWS IAM role has the necessary permissions to assume the GCP service account role, and that the GCP service account has the required VertexAI permissions.

Edit this page on GitHub or file an issue.

Connect these docs to Claude, VSCode, and more via MCP for real-time answers.

Link last verified June 7, 2026. View original ↗
Source: LangChain Docs
Link last verified: 2026-03-04