Configuration variables
As Identity is a Spring Boot application, you may use the standard Spring configuration methods.
Core configuration
| Environment variable | Description | Default value |
|---|---|---|
IDENTITY_AUTH_PROVIDER_BACKEND_URL | Used to support container to container communication. | http://localhost:18080/auth/realms/camunda-platform |
IDENTITY_AUTH_PROVIDER_ISSUER_URL | Used to denote the token issuer. | http://localhost:18080/auth/realms/camunda-platform |
IDENTITY_BASE_PATH | Used to configure Identity to run on a subpath (Requires HTTPs for IDENTITY_URL). | |
IDENTITY_CLIENT_ID | The client ID for the Identity client. | camunda-identity |
IDENTITY_CLIENT_SECRET | The client secret for the Identity client. | |
IDENTITY_LOG_LEVEL | The level of which to log messages at. | INFO |
IDENTITY_LOG_PATTERN | The pattern to use when logging. | %clr{%d{yyyy-MM-dd HH:mm:ss.SSS}}{faint} %clr{%5p} %clr{${sys:PID}}{magenta} %clr{---}{faint} %clr{[%15.15t]}{faint} %clr{%-40.40c{1.}}{cyan} %clr{:}{faint} %m%n%xwEx |
IDENTITY_URL | The URL of the Identity service. | http://localhost:8080 |
KEYCLOAK_REALM | The name of the Keycloak Realm to connect to. | camunda-platform |
KEYCLOAK_SETUP_USER | The username of a user with admin access to Keycloak. | admin |
KEYCLOAK_SETUP_PASSWORD | The password of a user with admin access to Keycloak. | admin |
KEYCLOAK_SETUP_REALM | The realm that the setup user is in. | master |
KEYCLOAK_SETUP_CLIENT_ID | The client to use for authentication during setup of the provided Keycloak. | admin-cli |
KEYCLOAK_URL | The URL of the Keycloak instance to use. | http://localhost:18080/auth |
OIDC configuration
| Evnironment variable | Description | Default value |
|---|---|---|
| IDENTITY_INITIAL_CLAIM_NAME | The name of the claim to use for the initial user. | oid |
| IDENTITY_INITIAL_CLAIM_VALUE | The value of the claim to use for the initial user. |
Component configuration
Identity supports component configuration using preset values. To configure a component for use within Identity, set two variables:
| Environment variable | Description | Default value |
|---|---|---|
KEYCLOAK_INIT_<COMPONENT>_SECRET | The secret used for authentication flows. | No default |
KEYCLOAK_INIT_<COMPONENT>_ROOT_URL | The root URL of where the component is hosted. | No default |
KEYCLOAK_INIT_<COMPONENT>_CLIENT_ID | The client to create and use for the component. | <COMPONENT> |
Identity supports the following values for the <COMPONENT> placeholder: OPERATE, OPTIMIZE, TASKLIST,
and WEBMODELER.
For the WEBMODELER value, only the KEYCLOAK_INIT_<COMPONENT>_ROOT_URL variable is required to be set.
For the KEYCLOAK_INIT_<COMPONENT>_CLIENT_ID value, the default is the component name in lowercase except
for WEBMODELER, which isweb-modeler.
Database configuration
Identity requires a database to store information about resource authorization and multi-tenancy.
| Environment variable | Description |
|---|---|
IDENTITY_DATABASE_HOST | The host of the database. |
IDENTITY_DATABASE_PORT | The port of the database. |
IDENTITY_DATABASE_NAME | The name of the database to connect to. |
IDENTITY_DATABASE_USERNAME | The username of a user with access to the database. |
IDENTITY_DATABASE_PASSWORD | The password of a user with access to the database. |
There are no default values for the variables above. See supported environments for a list of supported databases.
Running Identity on Amazon Aurora PostgreSQL
Identity supports running on Amazon Aurora PostgreSQL. To connect Identity with your Amazon Aurora PostgreSQL instance, make the following configuration adjustments:
- Modify the
SPRING_DATASOURCE_URLenvironment variable:jdbc:aws-wrapper:postgresql://[DB_HOST]:[DB_PORT]/[DB_NAME]. - Add the environment variable
SPRING_DATASOURCE_DRIVER_CLASS_NAMEwith the valuesoftware.amazon.jdbc.Driver.
For a full list of available driver parameters visit the AWS JDBC Driver documentation.
AWS IAM authentication
To use AWS Identity and Access Management (IAM) database authentication with your Amazon Aurora PostgreSQL instance, in addition to the adjustments described above, follow these steps:
- Modify the
SPRING_DATASOURCE_URLenvironment variable as follows:jdbc:aws-wrapper:postgresql://[DB_HOST]:[DB_PORT]/[DB_NAME]?wrapperPlugins=iam. - Modify the
SPRING_DATASOURCE_USERNAMEenvironment variable to match the database user you configured for AWS IAM authentication as described in the Amazon Aurora documentation. - Remove the
SPRING_DATASOURCE_PASSWORDenvironment variable.
Feature flags
Identity uses feature flag environment variables to enable and disable features; the supported flags are:
| Environment variable | Description | Default value |
|---|---|---|
| RESOURCE_PERMISSIONS_ENABLED | Controls the resource authorizations feature. | false |
| MULTITENANCY_ENABLED | Controls the multi tenancy feature. | false |
| USER_RESTRICTIONS_ENABLED | Controls the user task access restrictions feature in Tasklist. | true |
Setting either of the feature flags to true requires a database connection. To configure a database
connection, see database configuration.