Using Environment Variables

The structure of the Gateway installation command when using environment variables should be the following:

docker run -d -p 8000:8000 -p 8200:8200 -p 18888:18888 -p 8080:8080 -p 8081:8081 -p 5696:5696 -e ENV_VARIABLE_1="value1" -e ENV_VARIABLE_2="value2" -v /HOST/PATH/TO/FILE:/GATEWAY/PATH/TO/FILE --name akeyless-gw akeyless/base

📘

NOTE

Suppose you want to change something in your Gateway installation using the environment variables. In that case, you need to stop and remove the Gateway container first and then create a new Gateway container with the desired attributes specified in the environment variables.

Initial Gateway Configuration with Environment Variables

Environment variables enable the user to install the Gateway with some pre-defined parameters:

Environment Variable

Allowed Values

-e ADMIN_ACCESS_ID

This variable allows you to set instantly Admin credentials for the new Gateway instance.

It needs to be combined either with the ADMIN_ACCESS_KEY variable, or with the ADMIN_PASSWORD variable, depending on the authentication method.

“email” or “access-id”

access-id can be either an API Key or a CSP IAM (aws_iam, azure_ad, gcp_gce)

-e ADMIN_ACCESS_KEY

“access-key”

access-key needs to match the access-id

-e ADMIN_PASSWORD

“password”

password needs to match the email

-e ALLOWED_ACCESS_IDS

This variable allows adding several Authentication Methods as Admins of the Gateway instance.

“access-id-1,access-id-2”

This variable can also work with sub-claims (when a shared authentication method is used in the organization, e.g., SAML):

  1. Two Authentication Methods, one sub-claim:

“access-id-1 subClaimkey1=subClaimVal1,access-id-2 subClaimkey1=subClaimVal1"

  1. One Authentication Method, two sub-claims:

“access-id-1 subClaimkey1=subClaimVal1,access-id-1 subClaimkey2=subClaimVal2”

In this case, the "access-id" belongs to the Authentication Method created for the particular Identity Provider.

If you don't specify the sub-claims, every user authenticated by this IDP will be able to log in to the Gateway with admin privileges.

🚧

IMPORTANT

When you use the ALLOWED_ACCESS_IDS variable to set up access to your Gateway using a shared authentication method, you must provide relevant sub-claims.

Otherwise, all users authenticated by the Identity Provider with a given access-id will be able to log in to your Gateway and configure it.

Environment Variable

Allowed Values

-e CLUSTER_NAME

This variable allows creating a Gateway instance with a custom Cluster Name instead of the default one.

“custom-cluster-name”

-e INITIAL_DISPLAY_NAME

This variable allows creating a Gateway instance with a custom Display Name (you can set it through the Console as well).

“custom-display-name“

🚧

IMPORTANT

Please keep in mind that changing the Access ID or Cluster Name of your Gateway will create an entirely new Gateway instance, and it will not be able to retrieve the settings and data from the previously removed instance.

That’s why we recommend setting up a meaningful Cluster Name for your Gateway instance from the very beginning.

Environment Variable

Allowed Values

-e CONFIG_PROTECTION_KEY_NAME

This variable allows for encrypting the configuration of your Gateway with the encryption key that you have already created in the Console.

By default, the Gateway configuration is encrypted with the default Account key created and managed by Akeyless.

“encryption-key-name“

-e VERSION

This variable allows for using a specific version of the Akeyless Gateway application.

“gw-application-version-number”

Configuring TLS with Environment Variables

Environment Variable

Allowed Values

-e ENABLE_TLS

This variable enables TLS for the Gateway Console.

"true"

-e ENABLE_TLS_CONFIGURE

This variable enables TLS for the Gateway Configuration Manager.

"true"

-e ENABLE_TLS_HVP

This variable enables TLS for the HPV.

"true"

-e ENABLE_TLS_CURL

This variable enables TLS for Akeyless API Services.

"true"

A TLS certificate and a TLS Private Key in PEM format need to be mounted to the Gateway target directory using the following attributes. The example below mounts the TLS certificate and key from the Present Working Directory.

  • -v $PWD/cert.crt:/var/akeyless/conf/api-proxy/akeyless-api-cert.crt
  • -v $PWD/key.pem:/var/akeyless/conf/api-proxy/akeyless-api-cert.key

Configuring the Cache with Environment Variables

Environment Variable

Allowed Values

-e CACHE_ENABLE

This variable enables Gateway caching.

"true"

-e PROACTIVE_CACHE_ENABLE

This variable enables Proactive caching.

"true"

-e CACHE_TTL

This variable sets the amount of time (in minutes) during which a secret should be kept in the cache. The secret is deleted from the cache at the end of this period.

"numeric-value-minutes"

-e PROACTIVE_CACHE_MINIMUM_FETCHING_TIME

This variable instructs the system to update secrets in the cache if they are older than the specified value.

"numeric-value-minutes"

-e PROACTIVE_CACHE_DUMP_INTERVAL

This variable sets the amount of time (in minutes) between the two consecutive backups of cached secrets.

"numeric-value-minutes"


Did this page help you?