Spice.ai Cloud Platform Data Connector Deployment Guide
Production operating guide for the Spice.ai Cloud Platform data connector covering authentication, Arrow Flight transport, and operational tuning.
Authentication & Secrets​
The connector authenticates to the Spice.ai Cloud Platform using an API key supplied via the spiceai_api_key parameter. Endpoints default to the Spice.ai production cluster; override via endpoint for VPC or regional endpoints.
| Parameter | Description |
|---|---|
spiceai_api_key | Spice.ai Cloud Platform API key. Use ${secrets:...} to resolve from a configured secret store. |
endpoint | Flight endpoint URL. Defaults to the production cluster. Override for VPC / regional endpoints. |
flight_channel_secret | Optional shared secret for Flight gRPC channel authentication, used by internal or on-prem deployments. |
API keys must be sourced from a secret store in production. Rotate keys from the Spice.ai Console and update the secret store without restarting the runtime if the secret store supports live reloads.
Resilience Controls​
Endpoint Verification​
On startup the connector performs a DNS + TCP reachability check against the configured endpoint before attempting a Flight handshake. This surfaces misconfigured endpoints as actionable startup errors rather than slow-failure query errors.
Flight Transport​
Data transfer uses Arrow Flight over gRPC with TLS. Transient gRPC errors (UNAVAILABLE, DEADLINE_EXCEEDED) surface to the caller; retries are handled by the Flight client's default policy.
Append Streams​
The connector supports long-lived append streams (supports_changes_stream) for real-time CDC into accelerated datasets. Stream reconnection is handled automatically; loss of connection to the Cloud Platform results in the dataset being marked Error if the lag exceeds the configured acceptable window (see Data Refresh)..
Capacity & Sizing​
Message Sizing​
Arrow Flight record batches may exceed the default gRPC 4 MiB message limit for wide or dense schemas. Control with:
| Parameter | Default | Description |
|---|---|---|
max_message_size | 4MB | Maximum inbound gRPC message size. Raise for wide result sets or many string columns. |
Set via Spice configuration or via environment at runtime startup. Accepted units: B, KB, MB, GB.
Network​
- The Spice.ai Cloud Platform is a managed service; place Spice runtime in a region geographically close to your Cloud Platform region to minimize round-trip latency.
- Expect typical query round-trip latency in the tens of milliseconds + result streaming time; for interactive dashboards, accelerate (
acceleration: enabled) to cache into a local engine.
Authentication Token Lifetime​
API keys do not expire. Rotation is manual and must be coordinated via the secret store used by the runtime.
Metrics​
Flight transport metrics are collected via the shared Flight client instrumentation. The connector does not currently register Spice.ai-specific dataset-level instruments. Monitor the connector via:
- Query execution metrics (
query_duration_ms,query_processed_rows,query_failures_total) fromruntime.metrics. - Acceleration refresh metrics when the dataset is accelerated (
refresh_last_duration_ms,refresh_errors_total). - Upstream Spice.ai Console metrics on the source dataset.
See Component Metrics for general configuration.
Task History​
Queries to the Spice.ai Cloud Platform participate in task history via the Flight client spans. Each Flight request is recorded as a child of the enclosing sql_query or accelerated_table_refresh task.
Known Limitations​
- Read-only: The connector is read-only; writes to the Cloud Platform are done via the Spice CLI / Console, not the runtime.
- Single endpoint per dataset: A dataset binds to a single
endpoint. Multi-region failover must be handled at the load-balancer / DNS layer. - API key auth only: OIDC / SSO is not currently supported at the data-plane connector.
Troubleshooting​
| Symptom | Likely cause | Resolution |
|---|---|---|
Failed to connect to SpiceAI endpoint | DNS, firewall, or TLS issue against endpoint. | Verify DNS resolution and outbound 443 connectivity. Test with grpcurl -insecure <endpoint>:443 list. |
UNAUTHENTICATED on Flight handshake | Invalid / expired / wrong-environment API key. | Regenerate the key in the Spice.ai Console, update the secret store. |
message size exceeded / ResourceExhausted | Row batch exceeds gRPC message limit. | Increase max_message_size, or narrow the query projection. |
| Append stream stalled; acceleration lag climbing | Network partition or upstream dataset paused. | Check Cloud Platform status; verify the source dataset is healthy; restart the runtime to re-establish the stream. |
Sudden 5xx / UNAVAILABLE errors | Transient service-side issue. | Flight client auto-retries; if persistent, check Spice.ai status page. |
