Skip to main content

Configuration

The Configure section of the Pomerium Enterprise Console houses settings that affect the entirety of the Console environment (across all Namespaces). Adjust these settings with care.

Outbound network requirements

Pomerium Enterprise Console may require outbound HTTPS (TCP 443) access to:

Directory sync

Directory sync enumerates users and groups from a directory provider so Pomerium Core can use directory-backed identity data. In the Console, go to Settings > Directory Sync. The tab shows Identity Provider, Polling Min Delay, and Polling Max Delay. Identity Provider renders a provider selector with None as the empty value; leaving it empty disables directory sync. When a provider is selected, the Console shows provider-specific options below the selector.

When the Console exports settings to Core, Identity Provider maps to directory_provider, the provider-specific values map to directory_provider_options, Polling Min Delay maps to directory_provider_refresh_interval, and Polling Max Delay maps to directory_provider_refresh_timeout. Core uses these settings to choose the directory provider, store provider options as a generic JSON object, refresh the directory cache, and limit a single refresh attempt.

You can seed the same persisted Console settings at startup with directory_provider, directory_provider_options, directory_provider_refresh_interval, and directory_provider_refresh_timeout in config.yaml, or with the matching environment variables in the table below. If unset, directory_provider_refresh_interval defaults to 10m, and directory_provider_refresh_timeout — the deadline for a single refresh attempt — also defaults to 10m.

Auto-apply changesets

auto_apply_changesets controls whether configuration changesets apply automatically (true) or wait for an administrator to apply them (false). The Enterprise Console has no UI control for it; set it through the Console management API. Pomerium Zero exposes it as the Auto-apply changesets toggle under Settings > Advanced.

Variables

The keys listed below can be applied in Pomerium Console's config.yaml file or as environment variables.

All values are case sensitive unless otherwise noted.

NameDescriptionDefault Value
#ADMINISTRATORSA list of user ids, names or emails to make administrators. Useful for bootstrapping.none
#AUDIENCEA list of audiences for verifying the signing key.[]
#AUTHENTICATE_SERVICE_URL(deprecated) Authenticate service URL is not required in the Console configuration. For Device Enrollment, use the external route URL.none
#BIND_ADDRThe address the Pomerium Console will listen on.:8701
#BOOTSTRAP_SERVICE_ACCOUNTEnable the bootstrap service account.false
#CACHE_DIRDirectory to use for caching.Cache only in memory.
#CUSTOMER_IDThe customer IDnone
#DATABASE_ENCRYPTION_KEYThe base64-encoded encryption key for encrypting sensitive data in the database.none
#DATABASE_ENCRYPTION_KEY_FILELoads base64-encoded database-encryption-key secret from a file.none
#DATABASE_ENCRYPTION_KEY_RAW_FILELoads database-encryption-key secret from a raw file. Setting this option from a raw file does not require base64 encoding.none
#DATABASE_URLThe database Pomerium Enterprise Console will use.postgresql://pomerium:pomerium
@localhost:5432/dashboard?sslmode=disable
#DATABROKER_SERVICE_URLDatabroker service URL for Console to reach Core. Leave unset in the default single-process deployment (Console uses http://localhost:5443). Set only when the databroker runs on another host/port or Core is split/remote.http://localhost:5443
#DEBUG_CONFIG_DUMPDumps the Databroker configuration. This is a debug option to be used only when specified by Pomerium Support.false
#DIRECTORY_PROVIDERDirectory-sync provider Pomerium uses to enumerate users and groups. Empty disables directory sync.none
#DIRECTORY_PROVIDER_OPTIONSProvider-specific options for the directory provider, as a JSON object.none
#DIRECTORY_PROVIDER_REFRESH_INTERVALHow often Pomerium refreshes the directory cache.10m
#DIRECTORY_PROVIDER_REFRESH_TIMEOUTPer-attempt timeout for a single directory refresh cycle.10m
#DISABLE_FEEDBACK_WIDGETDisables third-party feedback widget and removes it from the Enterprise Console.false
#DISABLE_REMOTE_DIAGNOSTICSDisable remote diagnostics.true
#DISABLE_VALIDATION(deprecated, please update your configuration to set VALIDATION_MODE=none instead) Disable config validation.false
#GRPC_ADDRThe address to listen for gRPC on.:8702
#HELPhelp for servefalse
#LICENSE_KEYRequired: Provide the license key issued by your account team.none
#OVERRIDE_CERTIFICATE_NAMEOverrides the certificate name used for the databroker connection.none
#PROMETHEUS_DATA_DIRThe path to Prometheus datanone
#PROMETHEUS_LISTEN_ADDRWhen set, embedded Prometheus listens at this address. Set as host:port127.0.0.1:9090
#PROMETHEUS_SCRAPE_INTERVALThe Prometheus scrape frequency10s
#PROMETHEUS_URLThe URL to access the Prometheus metrics server.none
#SHARED_SECRETThe base64-encoded secret for signing JWTs, shared with OSS Pomerium.none
#SHARED_SECRET_FILELoads base64-encoded shared-secret from a file.none
#SHARED_SECRET_RAW_FILELoads shared-secret from a raw file. Setting this option from a raw file does not require base64 encoding.none
#SIGNING_KEY(deprecated) base64-encoded signing key (public or private) for verifying JWTs. This option is no longer required in the Console config.none
#SIGNING_KEY_FILELoads base64-encoded signing-key secret from a file.none
#SIGNING_KEY_RAW_FILELoads signing-key secret from a raw file. Setting this option from a raw file does not require base64 encoding.none
#TLS_CAbase64-encoded string of tls-canone
#TLS_CA_FILEfile storing tls-canone
#TLS_CERTbase64-encoded string of tls-certnone
#TLS_CERT_FILEfile storing tls-certnone
#TLS_DERIVEDerives TLS server certificate for the console HTTPS and gRPC endpoints for the host specified by this option, using the CA derived from the shared key. Uses this CA to verify the server certificate presented by the Databroker gRPC TLS when the tls_derive option is set in the Pomerium Core.none
#TLS_INSECURE_SKIP_VERIFYDisable remote hosts TLS certificate chain and hostname checks.false
#TLS_KEYbase64-encoded string of tls-keynone
#TLS_KEY_FILEfile storing tls-keynone
#USE_STATIC_ASSETSWhen false, forward static requests to localhost:3000.true
#VALIDATION_MODEValidates config based on the specified mode: full (The default config validation mode), static (A "light" validation mode that catches most config issues), or none (Disables config validation).full