Skip to main content

Configuration Reference

Client Configuration

host: "localhost:8080"
FieldTypeDescription
hoststringGuardian server host (<host>:<port>)

Server Configuration

port: 8080
grpc:
timeout_in_seconds: 5
max_call_recv_msg_size: 33554432
max_call_send_msg_size: 33554432

encryption_secret_key: "<secret-key>"
notifier:
provider: "slack"
access_token: "<slack-access-token>"
slack_config: "{\"workspaces\":[{\"workspace\":\"ws-1\",\"access_token\":\"xxxx-000-xxxx\",\"criteria\":\"$email contains '@gotocompany.com'\"}]}"
messages:
expiration_reminder: "Your access {{.account_id}} to {{.resource_name}} with role {{.role}} will expire at {{.expiration_date}}. Extend the access if it's still needed"
appeal_approved: "Your appeal to {{.resource_name}} with role {{.role}} has been approved"
appeal_rejected: "Your appeal to {{.resource_name}} with role {{.role}} has been rejected"
access_revoked: "Your access to {{.resource_name}}} with role {{.role}} has been revoked"
approver_notification: "You have an appeal created by {{.requestor}} requesting access to {{.resource_name}} with role {{.role}}. Appeal ID: {{.appeal_id}}"
others_appeal_approved: "Your appeal to {{.resource_name}} with role {{.role}} created by {{.requestor}} has been approved"
log_level: "info"
db:
host: "localhost"
user: "postgres"
password: ""
name: "postgres"
port: "5432"
sslmode: "disable"
log_level: "info"
authenticated_user_header_key: "X-Auth-Email"
audit_log_trace_id_header_key: "X-Trace-Id"
jobs:
fetch_resources:
enabled: true
interval: "0 */2 * * *"
revoke_expired_grants:
enabled: true
interval: "*/20 * * * *"
expiring_grant_notification:
enabled: true
interval: "0 9 * * *"
telemetry:
enabled: true
service_name: "guardian"
# Example for new relic
exporter: otlp
otlp:
headers:
api-key: <YOUR-LICENSE-KEY>
endpoint: "otlp.nr-data.net:4317"

Config

FieldTypeDescription
portintServer Listen Port (eg: 8080)
encryption_secret_keystringEncryption secret key encrypt and decrypt credentials
notifierObject(NotifierConfig)Notification Configuration
log_levelstringLog level (default: info)
dbObject(DatabaseConfig)Database configuration
authenticated_user_header_keystringHeader key name for authenticated user (eg: X-Auth-Email)
audit_log_trace_id_header_keystringHeader key name for trace id (eg: X-Trace-Id)
jobsObject(Jobs)Server Jobs Configuration

GRPCConfig

FieldTypeDescription
timeout_in_secondsintGRPC Timeout in seconds (default: 5)
max_call_recv_msg_sizeintmaximum message size the server can receive in bytes. (default = 33554432 (32MB))
max_call_send_msg_sizeintmaximum message size the server can send in bytes. (default = 33554432 (32MB))

NotifierConfig

FieldTypeDescription
providerstringProvider for notification (Only slack supported for now)
access_tokenstringAccess Token for notification provider (eg: slack access token). Required if slack_config is not present
messagesObject(NotificationMessages)Message templates configuration
slack_configstringSlack configuration in json format. Required if access_token is not present

NotificationMessages

FieldTypeDescription
expiration_reminderstringMessage template for expiration reminder
appeal_approvedstringMessage template for appeal approved
appeal_rejectedstringMessage template for appeal rejected
access_revokedstringMessage template for access revoked
approver_notificationstringMessage template for approver notification
others_appeal_approvedstringMessage template for other appeal approved

DatabaseConfig

FieldTypeDescription
hoststringDatabase host
userstringDatabase user
passwordstringDatabase password
namestringDatabase name
portstringDatabase port
sslmodestringDatabase sslmode
log_levelstringDatabase log_level

Jobs

FieldTypeDescription
fetch_resourcesObject(JobConfig)When Enabled, the Guardian server fetches resources from the providers and updated the database.
revoke_expired_grantsObject(JobConfig)When Enabled, the Guardian server will revoke the user permissions for the resource
expiring_grant_notificationObject(JobConfig)When Enabled, the Guardian server will notify the user on the notifier (currently slack only) before the user appeal is about to expire. The user gets notified before 7 days, 3 days and 1 day of appeal expiry

JobConfig

FieldTypeDescription
enabledbooleanJob Enabled
intervalstringJob interval (cron format, eg: 0 */2 * * *)

Using environment variables

All the configs can be passed as environment variables using underscore _ as the delimiter between nested keys. See the following examples

Configuration keyEnvironment variable
notifier.providerNOTIFIER_PROVIDER

Set the env variable using export

export NOTIFIER_PROVIDER=slack