-
-
Save castrapel/888cd106d12523a5445bf6f3cf9c810b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
url: http://localhost:8081 | |
# The `jwt_secret` value is used to sign and verify authenticated user jwts. If this is not set, ConsoleMe will generate | |
# a random value on startup. If you run multiple instances of ConsoleMe behind a load balancer, this can be problematic | |
# because a signed jwt from one ConsoleMe instance will not be valid for other instances. | |
# jwt_secret: secretoidc | |
# Enter OIDC configuration from your favorite provider. We've tested Okta and Google. | |
#oidc_secrets: | |
# client_id: 12345 | |
# secret: 12345 | |
# client_scope: | |
# - groups | |
# - openid | |
auth: | |
# If `get_user_by_oidc` is true, ConsoleMe will attempt to authenticate the user by your OIDC settings. This requires | |
# `get_user_by_oidc_settings` and `oidc_secrets` to be set. | |
# get_user_by_oidc: true | |
set_auth_cookie: true | |
force_redirect_to_identity_provider: false | |
get_user_by_oidc_settings: | |
resource: consoleme | |
metadata_url: https://dev-12345.okta.com/oauth2/default/.well-known/oauth-authorization-server | |
# If you have a metadata URL and it returns JSON with authorization_endpoint, token_endpoint, and jwks_uri, you do | |
# not need to specify those values in the configuration. | |
#authorization_endpoint: https://dev-123456.okta.com/oauth2/default/v1/authorize | |
#token_endpoint: https://dev-123456.okta.com/oauth2/default/v1/token | |
#jwks_uri: https://dev-123456.okta.com/oauth2/default/v1/keys | |
jwt_verify: true | |
jwt_email_key: email | |
jwt_groups_key: groups | |
grant_type: authorization_code | |
id_token_response_key: id_token | |
access_token_response_key: access_token | |
access_token_audience: "consoleme" | |
# ConsoleMe uses a Local DynamoDB docker container for development. You won't want this setting in your | |
# test/prod stacks. | |
dynamodb_server: http://127.0.0.1:8005 | |
export_to_terraform_enabled: true | |
# The `cloud_credential_authorization_mapping` configuration is where you would define the IAM role tags that dictate | |
# which users/groups are authorized to access the role. The tag keys are defined below. | |
# The tag values should be set to a colon-delimited list of users or groups (Commas are not valid in tag values). | |
# Users/groups defined in the `authorized_groups_tags` tag can retrieve credentials from ConsoleMe either via the CLI | |
# or the web interface. Users/groups defined in the `authorized_groups_cli_only_tags` tag can only retreive credentials | |
# via the CLI, and will not see the roles in ConsoleMe's UI. This is useful to keep the UI uncluttered. | |
# Example IAM role tags: | |
# consoleme-authorized=user1@example.com:group2@example.com | |
# consoleme-owner-dl=appowner@example.com | |
# consoleme-authorized-cli-only=group3@example.com | |
# consoleme-authorized-cli-only=group3@example.com | |
cloud_credential_authorization_mapping: | |
role_tags: | |
enabled: true | |
# Optional: You may require a role to have an entity (Usually ConsoleMe's instance profile) in it's assume role | |
# trust policy before ConsoleMe will allow users to assume into the role. | |
# required_trust_policy_entity: arn:aws:iam::123456789012:role/ConsoleMeInstanceProfile | |
authorized_groups_tags: | |
- consoleme-authorized | |
authorized_groups_cli_only_tags: | |
- consoleme-authorized-cli-only | |
dynamic_config: | |
enabled: true | |
internal_plugin: | |
enabled: false | |
# We recommend elasticache for your prod stack. Change these values appropriately to configure it. | |
redis: | |
host: | |
us-east-1: 127.0.0.1 | |
us-west-2: 127.0.0.1 | |
db: 0 | |
port: 6379 | |
# Your Celery settings can use the same Elasticache cluster that you've defined above. Configure the `active region` | |
# to be the region in which your deployed, or if you're deployed in multiple regions, your `primary` region where all | |
# of ConsoleMe's caching jobs will run. | |
celery: | |
active_region: us-east-1 # Define your active region here | |
debug: false | |
broker: | |
us-east-1: redis://127.0.0.1:6379/1 | |
us-west-2: redis://127.0.0.1:6379/1 | |
backend: | |
us-east-1: redis://127.0.0.1:6379/2 | |
us-west-2: redis://127.0.0.1:6379/2 | |
result_expires: 86400 | |
# Remove this flag or set it to `false` for a production deploy | |
development: true | |
tornado: | |
debug: true | |
port: 8081 | |
xsrf: true | |
# SES settings. | |
ses: | |
consoleme: | |
sender: consoleme@example.com | |
name: Consoleme | |
application_admin: consoleme_admins | |
groups: | |
can_admin: | |
- consoleme_admins | |
can_edit_config: | |
- consoleme_admins | |
can_admin_policies: | |
- consoleme_admins | |
aws: | |
account_number: 123456789012 | |
region: us-west-2 | |
issuer: YourCompany | |
session_duration: 900 | |
get_eligible_roles: | |
from_config: true | |
from_prefix: false | |
headers: | |
group_access: | |
enabled: true | |
policies: | |
enabled: true | |
config: | |
enabled: true | |
enable_self_service: true | |
account_ids_to_name: | |
'123456789012': account_name_1 | |
'123456789013': account_name_2 | |
user_role_creator: | |
default_trust_policy: | |
Version: '2012-10-17' | |
Statement: | |
- Effect: Allow | |
Principal: | |
AWS: | |
- arn:aws:iam::123456789012:role/ConsoleMeInstanceProfile | |
Action: sts:AssumeRole | |
challenge_url: | |
enabled: true | |
environment: dev | |
policies: | |
role_name: ConsoleMe |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment