Configuration variables
As a Spring Boot application, Identity supports any standard Spring configuration method.
Core configuration
| Environment variable | Description | Default value |
|---|---|---|
IDENTITY_AUTH_PROVIDER_BACKEND_URL | Used to support container to container communication. | http://localhost:18080/auth/realms/camunda-platform |
IDENTITY_AUTH_PROVIDER_ISSUER_URL | Used to denote the token issuer. | http://localhost:18080/auth/realms/camunda-platform |
IDENTITY_BASE_PATH | Used to configure Identity to run on a subpath (Requires HTTPs for IDENTITY_URL). | |
IDENTITY_CLIENT_ID | The client ID for the Identity client. | camunda-identity |
IDENTITY_CLIENT_SECRET | The client secret for the Identity client. | |
IDENTITY_LOG_LEVEL | The level of which to log messages at. | INFO |
IDENTITY_LOG_PATTERN | The pattern to use when logging. | %clr{%d{yyyy-MM-dd HH:mm:ss.SSS}}{faint} %clr{%5p} %clr{${sys:PID}}{magenta} %clr{---}{faint} %clr{[%15.15t]}{faint} %clr{%-40.40c{1.}}{cyan} %clr{:}{faint} %m%n%xwEx |
IDENTITY_URL | The URL of the Identity service. | http://localhost:8080 |
KEYCLOAK_REALM | The name of the Keycloak Realm to connect to. | camunda-platform |
KEYCLOAK_SETUP_USER | The username of a user with admin access to Keycloak. | admin |
KEYCLOAK_SETUP_PASSWORD | The password of a user with admin access to Keycloak. | admin |
KEYCLOAK_SETUP_REALM | The realm that the setup user is in. | master |
KEYCLOAK_SETUP_CLIENT_ID | The client to use for authentication during setup of the provided Keycloak. | admin-cli |
KEYCLOAK_URL | The URL of the Keycloak instance to use. | http://localhost:18080/auth |
License configuration
Camunda 8 Self-Managed onlyInstallations of Camunda 8 Self-Managed which require a license can provide their license key to the components as an environment variable:
| Environment variable | Description | Default value |
|---|---|---|
CAMUNDA_LICENSE_KEY | Your Camunda 8 license key, if your installation requires a license. | None |
For Helm installations, license keys can be configured globally in your values.yaml file. See the Helm installation documentation for more details.
Camunda 8 components without a valid license may display Non-Production License in the navigation bar and issue warnings in the logs. These warnings have no impact on startup or functionality, with the exception that Web Modeler has a limitation of five users. To obtain a license, visit the Camunda Enterprise page.
OIDC configuration
Claims are name/value pairs used to represent an individual identity. Configure your initial claim and value to match the claim used with your OIDC provider. For example, to use your Microsoft Entra unique account ID, set IDENTITY_INITIAL_CLAIM_NAME to oid, and IDENTITY_INITIAL_CLAIM_VALUE to the ID.
Once set, you cannot update your initial claim name and value using environment or Helm values. You must change these values directly in the database.
| Environment variable | Description | Default value |
|---|---|---|
IDENTITY_INITIAL_CLAIM_NAME | The type of claim to use for the initial user. Examples can include oid, name or email. | oid |
IDENTITY_INITIAL_CLAIM_VALUE | The value of the claim to use for the initial user. For the default oid, the value usually corresponds to the unique ID of your user account. |
Component configuration
Identity supports component configuration using preset values. To configure a component for use within Identity, set two variables:
| Environment variable | Description | Default value |
|---|---|---|
KEYCLOAK_INIT_<COMPONENT>_SECRET | The secret used for authentication flows. | No default |
KEYCLOAK_INIT_<COMPONENT>_ROOT_URL | The root URL of where the component is hosted. | No default |
KEYCLOAK_INIT_<COMPONENT>_CLIENT_ID | The client to create and use for the component. | <COMPONENT> |
Identity supports the following values for the <COMPONENT> placeholder: OPERATE, OPTIMIZE, TASKLIST,
and WEBMODELER.
For the WEBMODELER value, only the KEYCLOAK_INIT_<COMPONENT>_ROOT_URL variable is required to be set.
For the KEYCLOAK_INIT_<COMPONENT>_CLIENT_ID value, the default is the component name in lowercase except
for WEBMODELER, which isweb-modeler.
Database configuration
Identity requires a database to store information about resource authorization and multi-tenancy.
| Environment variable | Description |
|---|---|
IDENTITY_DATABASE_HOST | The host of the database. |
IDENTITY_DATABASE_PORT | The port of the database. |
IDENTITY_DATABASE_NAME | The name of the database to connect to. |
IDENTITY_DATABASE_USERNAME | The username of a user with access to the database. |
IDENTITY_DATABASE_PASSWORD | The password of a user with access to the database. |
There are no default values for the variables above. See supported environments for a list of supported databases.
Running Identity on Amazon Aurora PostgreSQL
Identity supports running on Amazon Aurora PostgreSQL. To connect Identity with your Amazon Aurora PostgreSQL instance, make the following configuration adjustments:
- Modify the
SPRING_DATASOURCE_URLenvironment variable:jdbc:aws-wrapper:postgresql://[DB_HOST]:[DB_PORT]/[DB_NAME]. - Add the environment variable
SPRING_DATASOURCE_DRIVER_CLASS_NAMEwith the valuesoftware.amazon.jdbc.Driver.
For a full list of available driver parameters visit the AWS JDBC Driver documentation.
AWS IAM authentication
To use AWS Identity and Access Management (IAM) database authentication with your Amazon Aurora PostgreSQL instance, in addition to the adjustments described above, follow these steps:
- Modify the
SPRING_DATASOURCE_URLenvironment variable as follows:jdbc:aws-wrapper:postgresql://[DB_HOST]:[DB_PORT]/[DB_NAME]?wrapperPlugins=iam. - Modify the
SPRING_DATASOURCE_USERNAMEenvironment variable to match the database user you configured for AWS IAM authentication as described in the Amazon Aurora documentation. - Remove the
SPRING_DATASOURCE_PASSWORDenvironment variable.
Feature flags
Identity uses feature flag environment variables to enable and disable features; the supported flags are:
| Environment variable | Description | Default value |
|---|---|---|
| RESOURCE_PERMISSIONS_ENABLED | Controls the resource authorizations feature. | false |
| MULTITENANCY_ENABLED | Controls the multi tenancy feature. | false |
| USER_RESTRICTIONS_ENABLED | Controls the user task access restrictions feature in Tasklist. | true |
Setting either of the feature flags to true requires a database connection. To configure a database
connection, see database configuration.