Skip to main content

Configuration

The Configure section of the Pomerium Enterprise Console houses settings that affect the entirety of the Console environment (across all Namespaces). Adjust these settings with care.

Variables

The keys listed below can be applied in Pomerium Console's config.yaml file or as environment variables.

All values are case sensitive unless otherwise noted.

NameDescriptionDefault Value
#ADMINISTRATORSA list of user ids, names or emails to make administrators. Useful for bootstrapping.none
#AUDIENCEA list of audiences for verifying the signing key.[]
#AUTHENTICATE_SERVICE_URL(deprecated) Authenticate service URL is not required in the Console configuration. For Device Enrollment, use the external route URL.none
#BIND_ADDRThe address the Pomerium Console will listen on.:8701
#CUSTOMER_IDThe customer IDnone
#DATABASE_ENCRYPTION_KEYThe base64-encoded encryption key for encrypting sensitive data in the database.none
#DATABASE_ENCRYPTION_KEY_FILELoads base64-encoded database-encryption-key secret from a file.none
#DATABASE_ENCRYPTION_KEY_RAW_FILELoads database-encryption-key secret from a raw file. Setting this option from a raw file does not require base64 encoding.none
#DATABASE_URLThe database Pomerium Enterprise Console will use.postgresql://pomerium:pomerium
@localhost:5432/dashboard?sslmode=disable
#DATABROKER_SERVICE_URLThe databroker service URL.http://localhost:5443
#DEBUG_CONFIG_DUMPDumps the Databroker configuration. This is a debug option to be used only when specified by Pomerium Support.false
#DISABLE_FEEDBACK_WIDGETDisables third-party feedback widget and removes it from the Enterprise Console.false
#DISABLE_REMOTE_DIAGNOSTICSDisable remote diagnostics.true
#DISABLE_VALIDATION(deprecated, please update your configuration to set VALIDATION_MODE=none instead) Disable config validation.false
#GRPC_ADDRThe address to listen for gRPC on.:8702
#HELPhelp for servefalse
#LICENSE_KEYRequired: Provide the license key issued by your account team.none
#OVERRIDE_CERTIFICATE_NAMEOverrides the certificate name used for the databroker connection.none
#PROMETHEUS_DATA_DIRThe path to Prometheus datanone
#PROMETHEUS_LISTEN_ADDRWhen set, embedded Prometheus listens at this address. Set as host:port127.0.0.1:9090
#PROMETHEUS_SCRAPE_INTERVALThe Prometheus scrape frequency10s
#PROMETHEUS_URLThe URL to access the Prometheus metrics server.none
#SHARED_SECRETThe base64-encoded secret for signing JWTs, shared with OSS Pomerium.none
#SHARED_SECRET_FILELoads base64-encoded shared-secret from a file.none
#SHARED_SECRET_RAW_FILELoads shared-secret from a raw file. Setting this option from a raw file does not require base64 encoding.none
#SIGNING_KEY(deprecated) base64-encoded signing key (public or private) for verifying JWTs. This option is no longer required in the Console config.none
#SIGNING_KEY_FILELoads base64-encoded signing-key secret from a file.none
#SIGNING_KEY_RAW_FILELoads signing-key secret from a raw file. Setting this option from a raw file does not require base64 encoding.none
#TLS_CAbase64-encoded string of tls-canone
#TLS_CA_FILEfile storing tls-canone
#TLS_CERTbase64-encoded string of tls-certnone
#TLS_CERT_FILEfile storing tls-certnone
#TLS_DERIVEDerives TLS server certificate for the console HTTPS and gRPC endpoints for the host specified by this option, using the CA derived from the shared key. Uses this CA to verify the server certificate presented by the Databroker gRPC TLS when the tls_derive option is set in the Pomerium Core.none
#TLS_INSECURE_SKIP_VERIFYDisable remote hosts TLS certificate chain and hostname checks.false
#TLS_KEYbase64-encoded string of tls-keynone
#TLS_KEY_FILEfile storing tls-keynone
#USE_STATIC_ASSETSWhen false, forward static requests to localhost:3000.true
#VALIDATION_MODEValidates config based on the specified mode: full (The default config validation mode), static (A "light" validation mode that catches most config issues), or none (Disables config validation).full