Skip to main content
Version: Next

Configuration variables

As a Spring Boot application, Identity supports any standard Spring configuration method.

Core configuration

Environment variableDescriptionDefault value
IDENTITY_AUTH_PROVIDER_BACKEND_URLUsed to support container to container communication.http://localhost:18080/auth/realms/camunda-platform
IDENTITY_AUTH_PROVIDER_ISSUER_URLUsed to denote the token issuer.http://localhost:18080/auth/realms/camunda-platform
IDENTITY_BASE_PATHUsed to configure Identity to run on a subpath (Requires HTTPs for IDENTITY_URL).
IDENTITY_CLIENT_IDThe client ID for the Identity client.camunda-identity
IDENTITY_CLIENT_SECRETThe client secret for the Identity client.
IDENTITY_LOG_LEVELThe level of which to log messages at.INFO
IDENTITY_LOG_PATTERNThe pattern to use when logging.%clr{%d{yyyy-MM-dd HH:mm:ss.SSS}}{faint} %clr{%5p} %clr{${sys:PID}}{magenta} %clr{---}{faint} %clr{[%15.15t]}{faint} %clr{%-40.40c{1.}}{cyan} %clr{:}{faint} %m%n%xwEx
IDENTITY_URLThe URL of the Identity service.http://localhost:8080
KEYCLOAK_REALMThe name of the Keycloak Realm to connect to.camunda-platform
KEYCLOAK_SETUP_USERThe username of a user with admin access to Keycloak.admin
KEYCLOAK_SETUP_PASSWORDThe password of a user with admin access to Keycloak.admin
KEYCLOAK_SETUP_REALMThe realm that the setup user is in.master
KEYCLOAK_SETUP_CLIENT_IDThe client to use for authentication during setup of the provided Keycloak.admin-cli
KEYCLOAK_URLThe URL of the Keycloak instance to use.http://localhost:18080/auth

License configuration

Camunda 8 Self-Managed only

Installations of Camunda 8 Self-Managed which require a license can provide their license key to the components as an environment variable:

Environment variableDescriptionDefault value
CAMUNDA_LICENSE_KEYYour Camunda 8 license key, if your installation requires a license.None

For Helm installations, license keys can be configured globally in your values.yaml file. See the Helm installation documentation for more details.

note

Camunda 8 components without a valid license may display Non-Production License in the navigation bar and issue warnings in the logs. These warnings have no impact on startup or functionality, with the exception that Web Modeler has a limitation of five users. To obtain a license, visit the Camunda Enterprise page.

OIDC configuration

Claims are name/value pairs used to represent an individual identity. Configure your initial claim and value to match the claim used with your OIDC provider. For example, to use your Microsoft Entra unique account ID, set IDENTITY_INITIAL_CLAIM_NAME to oid, and IDENTITY_INITIAL_CLAIM_VALUE to the ID.

note

Once set, you cannot update your initial claim name and value using environment or Helm values. You must change these values directly in the database.

Environment variableDescriptionDefault value
IDENTITY_INITIAL_CLAIM_NAMEThe type of claim to use for the initial user. Examples can include oid, name or email.oid
IDENTITY_INITIAL_CLAIM_VALUEThe value of the claim to use for the initial user. For the default oid, the value usually corresponds to the unique ID of your user account.

Component configuration

Identity supports component configuration using preset values. To configure a component for use within Identity, set two variables:

Environment variableDescriptionDefault value
KEYCLOAK_INIT_<COMPONENT>_SECRETThe secret used for authentication flows.No default
KEYCLOAK_INIT_<COMPONENT>_ROOT_URLThe root URL of where the component is hosted.No default
KEYCLOAK_INIT_<COMPONENT>_CLIENT_IDThe client to create and use for the component.<COMPONENT>
note

Identity supports the following values for the <COMPONENT> placeholder: OPERATE, OPTIMIZE, TASKLIST, and WEBMODELER.

For the WEBMODELER value, only the KEYCLOAK_INIT_<COMPONENT>_ROOT_URL variable is required to be set.

For the KEYCLOAK_INIT_<COMPONENT>_CLIENT_ID value, the default is the component name in lowercase except for WEBMODELER, which isweb-modeler.

Database configuration

Identity requires a database to store information about resource authorization and multi-tenancy.

Environment variableDescription
IDENTITY_DATABASE_HOSTThe host of the database.
IDENTITY_DATABASE_PORTThe port of the database.
IDENTITY_DATABASE_NAMEThe name of the database to connect to.
IDENTITY_DATABASE_USERNAMEThe username of a user with access to the database.
IDENTITY_DATABASE_PASSWORDThe password of a user with access to the database.
note

There are no default values for the variables above. See supported environments for a list of supported databases.

Running Identity on Amazon Aurora PostgreSQL

Identity supports running on Amazon Aurora PostgreSQL. To connect Identity with your Amazon Aurora PostgreSQL instance, make the following configuration adjustments:

  1. Modify the SPRING_DATASOURCE_URL environment variable: jdbc:aws-wrapper:postgresql://[DB_HOST]:[DB_PORT]/[DB_NAME].
  2. Add the environment variable SPRING_DATASOURCE_DRIVER_CLASS_NAME with the value software.amazon.jdbc.Driver.

For a full list of available driver parameters visit the AWS JDBC Driver documentation.

AWS IAM authentication

To use AWS Identity and Access Management (IAM) database authentication with your Amazon Aurora PostgreSQL instance, in addition to the adjustments described above, follow these steps:

  1. Modify the SPRING_DATASOURCE_URL environment variable as follows: jdbc:aws-wrapper:postgresql://[DB_HOST]:[DB_PORT]/[DB_NAME]?wrapperPlugins=iam.
  2. Modify the SPRING_DATASOURCE_USERNAME environment variable to match the database user you configured for AWS IAM authentication as described in the Amazon Aurora documentation.
  3. Remove the SPRING_DATASOURCE_PASSWORD environment variable.

Feature flags

Identity uses feature flag environment variables to enable and disable features; the supported flags are:

Environment variableDescriptionDefault value
RESOURCE_PERMISSIONS_ENABLEDControls the resource authorizations feature.false
MULTITENANCY_ENABLEDControls the multi tenancy feature.false
USER_RESTRICTIONS_ENABLEDControls the user task access restrictions feature in Tasklist.true
note

Setting either of the feature flags to true requires a database connection. To configure a database connection, see database configuration.