allows you to completely define and configure the topology and services you want to use on your project.

Unlike other PaaS services, is batteries included which means that you don’t need to subscribe to an external service to get a cache or a search engine. And that those services are managed. When you back up your project, all of the services are backed-up. Services are configured through the .platform/services.yaml file you will need to commit to your Git repository. This section describes specifics you might want to know about for each service."

If you do not need additional services, you can leave the .platform/services.yaml file empty. This is the recommended approach for a static website.


Here is an example of a .platform/services.yaml file:

    type: mysql:10.1
    disk: 2048

    type: postgresql:9.6
    disk: 1024



The name you want to give to your service. You are free to name each service as you wish (lowercase alphanumeric only).


The type of your service. It’s using the format type:version.

If you specify a version number which is not available, you’ll see this error when pushing your changes:

Validating configuration files.
E: Error parsing configuration files:
    - services.mysql.type: 'mysql:5.6' is not a valid service type.

Service types and their supported versions include:

Service type Supported version
Headless Chrome chrome-headless 73, 80, 81, 83, 84, 86, 91
Elasticsearch elasticsearch 6.5, 6.8, 7.2, 7.5, 7.7, 7.9, 7.10
InfluxDB influxdb 1.2, 1.3, 1.7, 1.8
Kafka kafka 2.1, 2.2, 2.3, 2.4, 2.5
MariaDB/MySQL mariadb 10.0, 10.1, 10.2, 10.3, 10.4, 10.5
Memcached memcached 1.4, 1.5, 1.6
MongoDB mongodb
Network Storage network-storage 1.0
Oracle MySQL oracle-mysql 5.7, 8.0
PostgreSQL postgresql 9.6, 10, 11, 12, 13
RabbitMQ rabbitmq 3.5, 3.6, 3.7, 3.8
Redis redis 3.2, 4.0, 5.0, 6.0
Solr solr 7.7, 8.0, 8.4, 8.6
Varnish varnish 5.1, 5.2, 6.0, 6.3
Vault vault-kms 1.6


The disk attribute is the size of the persistent disk (in MB) allocated to the service.

For example, the current default storage amount per project is 5GB (meaning 5120MB) which you can distribute between your application (as defined in and each of its services. For memory-resident-only services such as memcache or redis, the disk key is not available and will generate an error if present.


By default, will allocate CPU and memory resources to each container automatically. Some services are optimized for high CPU load, some for high memory load. By default, will try to allocate the largest “fair” size possible to all services, given the available resources on the plan. That is not always optimal, however, and you can customize that behavior on any service or on any application container. See the application sizing page for more details.

Service timezones 

All services have their system timezone set to UTC by default. In most cases that is the best option. For some applications it’s possible to change the application timezone, which will affect only the running application itself.

  • MySQL - You can change the per-connection timezone by running SQL SET time_zone = <timezone>;.
  • PostgreSQL - You can change the timezone of current session by running SQL SET TIME ZONE <timezone>;.

Using the services 

In order for a service to be available to an application in your project ( supports not only multiple backends but also multiple applications in each project) you will need to refer to it in the file which configures the relationships between applications and services.


All services offer one or more endpoints. An endpoint is simply a named set of credentials that can be used to give access to other applications and services in your project to that service. Only some services support multiple user-defined endpoints. If you do not specify one then one will be created with a standard defined name, generally the name of the service type (e.g., mysql or solr). An application container, defined by a file, always exposes an endpoint named http to allow the router to forward requests to it.

When defining relationships in a configuration file you will always address a service as <servicename>:<endpoint>. See the appropriate service page for details on how to configure multiple endpoints for each service that supports it.

Connecting to a service 

Once a service is running and exposed as a relationship, its appropriate credentials (host name, username if appropriate, etc.) will be exposed through the PLATFORM_RELATIONSHIPS environment variable. The structure of each is documented on the appropriate service’s page, along with sample code for how to connect to it from your application. Note that different applications manage configuration differently so the exact code will vary from one application to another.

Be aware that the keys in the PLATFORM_RELATIONSHIPS structure are fixed but the values they hold may change on any deployment or restart. Never hard-code connection credentials for a service into your application. You should re-check the environment variable every time your script or application starts.

Access to the database or other services is only available from within the cluster. For security reasons, they cannot be accessed directly. However, they can be accessed over an SSH tunnel. There are two ways to do so. (The example here uses MariaDB but the process is largely identical for any service.)

Obtaining service credentials 

In either case, you will also need the service credentials. For that, run platform relationships. That will give output similar to the following:

        service: rediscache
        cluster: jyu7waly36ncj-master-7rqtwti
        host: redis.internal
        rel: redis
        scheme: redis
        port: 6379
        username: user
        scheme: mysql
        service: mysqldb
        cluster: jyu7waly36ncj-master-7rqtwti
        host: database.internal
        rel: mysql
        path: main
            is_master: true
        password: ''
        port: 3306

That indicates that the database relationship can be accessed at host database.internal, user user, and an empty password. The path key contains the database name, main. The other values can be ignored.

Open an SSH tunnel directly 

The first option is to open an SSH tunnel for all of your services. You can do so with the CLI, like so:

$ platform tunnel:open
SSH tunnel opened on port 30000 to relationship: redis
SSH tunnel opened on port 30001 to relationship: database
Logs are written to: ~/.platformsh/tunnels.log

List tunnels with: platform tunnels
View tunnel details with: platform tunnel:info
Close tunnels with: platform tunnel:close

The tunnel:open command will connect all relationships defined in the file to local ports, starting at 30000. You can then connect to those ports on localhost using the program of your choice.

The platform tunnels command will list all open tunnels:

| Port  | Project       | Environment | App       | Relationship |
| 30000 | a43m75zns6k4c | master      | [default] | redis        |
| 30001 | a43m75zns6k4c | master      | [default] | database     |

In this example, we would connect to localhost:30001, database name main, with username user and an empty password.

Using an application tunnel 

Alternatively, many database applications (such as MySQL Workbench and similar tools) support establishing their own SSH tunnel. Consult the documentation for your application for how to enter SSH credentials, including telling it where your SSH private key is. ( does not support password-based SSH authentication.)

To get the values to use, the easiest way is to run platform ssh --pipe. That will return a command line that can be used to connect over SSH, from which you can pull the appropriate information. For example:

In this case, the username is jyu7waly36ncj-master-7rqtwti--app and the host is Note that the host will vary per region, and the username will vary per environment.

In this example, we would configure our database application to set up a tunnel to as user jyu7waly36ncj-master-7rqtwti--app, and then connect to the database on host database.internal, username user, empty password, and database name main.