Skip to content

Instantly share code, notes, and snippets.

@castrapel
Created February 23, 2021 05:52
Show Gist options
  • Save castrapel/888cd106d12523a5445bf6f3cf9c810b to your computer and use it in GitHub Desktop.
Save castrapel/888cd106d12523a5445bf6f3cf9c810b to your computer and use it in GitHub Desktop.
url: http://localhost:8081
# The `jwt_secret` value is used to sign and verify authenticated user jwts. If this is not set, ConsoleMe will generate
# a random value on startup. If you run multiple instances of ConsoleMe behind a load balancer, this can be problematic
# because a signed jwt from one ConsoleMe instance will not be valid for other instances.
# jwt_secret: secretoidc
# Enter OIDC configuration from your favorite provider. We've tested Okta and Google.
#oidc_secrets:
# client_id: 12345
# secret: 12345
# client_scope:
# - email
# - groups
# - openid
auth:
# If `get_user_by_oidc` is true, ConsoleMe will attempt to authenticate the user by your OIDC settings. This requires
# `get_user_by_oidc_settings` and `oidc_secrets` to be set.
# get_user_by_oidc: true
set_auth_cookie: true
force_redirect_to_identity_provider: false
get_user_by_oidc_settings:
resource: consoleme
metadata_url: https://dev-12345.okta.com/oauth2/default/.well-known/oauth-authorization-server
# If you have a metadata URL and it returns JSON with authorization_endpoint, token_endpoint, and jwks_uri, you do
# not need to specify those values in the configuration.
#authorization_endpoint: https://dev-123456.okta.com/oauth2/default/v1/authorize
#token_endpoint: https://dev-123456.okta.com/oauth2/default/v1/token
#jwks_uri: https://dev-123456.okta.com/oauth2/default/v1/keys
jwt_verify: true
jwt_email_key: email
jwt_groups_key: groups
grant_type: authorization_code
id_token_response_key: id_token
access_token_response_key: access_token
access_token_audience: "consoleme"
# ConsoleMe uses a Local DynamoDB docker container for development. You won't want this setting in your
# test/prod stacks.
dynamodb_server: http://127.0.0.1:8005
export_to_terraform_enabled: true
# The `cloud_credential_authorization_mapping` configuration is where you would define the IAM role tags that dictate
# which users/groups are authorized to access the role. The tag keys are defined below.
# The tag values should be set to a colon-delimited list of users or groups (Commas are not valid in tag values).
# Users/groups defined in the `authorized_groups_tags` tag can retrieve credentials from ConsoleMe either via the CLI
# or the web interface. Users/groups defined in the `authorized_groups_cli_only_tags` tag can only retreive credentials
# via the CLI, and will not see the roles in ConsoleMe's UI. This is useful to keep the UI uncluttered.
# Example IAM role tags:
# consoleme-authorized=user1@example.com:group2@example.com
# consoleme-owner-dl=appowner@example.com
# consoleme-authorized-cli-only=group3@example.com
# consoleme-authorized-cli-only=group3@example.com
cloud_credential_authorization_mapping:
role_tags:
enabled: true
# Optional: You may require a role to have an entity (Usually ConsoleMe's instance profile) in it's assume role
# trust policy before ConsoleMe will allow users to assume into the role.
# required_trust_policy_entity: arn:aws:iam::123456789012:role/ConsoleMeInstanceProfile
authorized_groups_tags:
- consoleme-authorized
authorized_groups_cli_only_tags:
- consoleme-authorized-cli-only
dynamic_config:
enabled: true
internal_plugin:
enabled: false
# We recommend elasticache for your prod stack. Change these values appropriately to configure it.
redis:
host:
us-east-1: 127.0.0.1
us-west-2: 127.0.0.1
db: 0
port: 6379
# Your Celery settings can use the same Elasticache cluster that you've defined above. Configure the `active region`
# to be the region in which your deployed, or if you're deployed in multiple regions, your `primary` region where all
# of ConsoleMe's caching jobs will run.
celery:
active_region: us-east-1 # Define your active region here
debug: false
broker:
us-east-1: redis://127.0.0.1:6379/1
us-west-2: redis://127.0.0.1:6379/1
backend:
us-east-1: redis://127.0.0.1:6379/2
us-west-2: redis://127.0.0.1:6379/2
result_expires: 86400
# Remove this flag or set it to `false` for a production deploy
development: true
tornado:
debug: true
port: 8081
xsrf: true
# SES settings.
ses:
consoleme:
sender: consoleme@example.com
name: Consoleme
application_admin: consoleme_admins
groups:
can_admin:
- consoleme_admins
can_edit_config:
- consoleme_admins
can_admin_policies:
- consoleme_admins
aws:
account_number: 123456789012
region: us-west-2
issuer: YourCompany
session_duration: 900
get_eligible_roles:
from_config: true
from_prefix: false
headers:
group_access:
enabled: true
policies:
enabled: true
config:
enabled: true
enable_self_service: true
account_ids_to_name:
'123456789012': account_name_1
'123456789013': account_name_2
user_role_creator:
default_trust_policy:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS:
- arn:aws:iam::123456789012:role/ConsoleMeInstanceProfile
Action: sts:AssumeRole
challenge_url:
enabled: true
environment: dev
policies:
role_name: ConsoleMe
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment