Using Environment Variables

The structure of the Gateway installation command when using environment variables should be the following:

docker run -d -p 8000:8000 -p 8200:8200 -p 18888:18888 -p 8080:8080 -p 8081:8081 -p 5696:5696 -e ENV_VARIABLE_1="value1" -e ENV_VARIABLE_2="value2" -v /HOST/PATH/TO/FILE:/GATEWAY/PATH/TO/FILE --name akeyless-gw akeyless/base



Suppose you want to change something in your Gateway installation using the environment variables. In that case, you need to stop and remove the Gateway container first and then create a new Gateway container with the desired attributes specified in the environment variables.

Initial Gateway Configuration with Environment Variables

Environment variables enable the user to install the Gateway with some pre-defined parameters:

Environment Variable

Allowed Values


This variable allows you to set instantly Admin credentials for the new Gateway instance.

It needs to be combined either with the ADMIN_ACCESS_KEY variable, or with the ADMIN_PASSWORD variable, depending on the authentication method.

“email” or “access-id”

access-id can be either an API Key or a CSP IAM (aws_iam, azure_ad, gcp_gce)



access-key needs to match the access-id



password needs to match the email


This variable allows adding several Authentication Methods as Admins of the Gateway instance.


This variable can also work with sub-claims (when a shared authentication method is used in the organization, e.g., SAML):

  1. Two Authentication Methods, one sub-claim:

“access-id-1 subClaimkey1=subClaimVal1,access-id-2 subClaimkey1=subClaimVal1"

  1. One Authentication Method, two sub-claims:

“access-id-1 subClaimkey1=subClaimVal1,access-id-1 subClaimkey2=subClaimVal2”

In this case, the "access-id" belongs to the Authentication Method created for the particular Identity Provider.

If you don't specify the sub-claims, every user authenticated by this IDP will be able to log in to the Gateway with admin privileges.



When you use the ALLOWED_ACCESS_IDS variable to set up access to your Gateway using a shared authentication method, you must provide relevant sub-claims.

Otherwise, all users authenticated by the Identity Provider with a given access-id will be able to log in to your Gateway and configure it.

Environment Variable

Allowed Values


This variable allows creating a Gateway instance with a custom Cluster Name instead of the default one.



This variable allows creating a Gateway instance with a custom Display Name (you can set it through the Console as well).




Please keep in mind that changing the Access ID or Cluster Name of your Gateway will create an entirely new Gateway instance, and it will not be able to retrieve the settings and data from the previously removed instance.

That’s why we recommend setting up a meaningful Cluster Name for your Gateway instance from the very beginning.

Environment Variable

Allowed Values


This variable allows for encrypting the configuration of your Gateway with the encryption key that you have already created in the Console.

By default, the Gateway configuration is encrypted with the default Account key created and managed by Akeyless.



This variable allows for using a specific version of the Akeyless Gateway application.


Configuring TLS with Environment Variables

Environment Variable

Allowed Values


This variable enables TLS for the Gateway Console.



This variable enables TLS for the Gateway Configuration Manager.



This variable enables TLS for the HPV.



This variable enables TLS for Akeyless API Services.


A TLS certificate and a TLS Private Key in PEM format need to be mounted to the Gateway target directory using the following attributes. The example below mounts the TLS certificate and key from the Present Working Directory.

  • -v $PWD/cert.crt:/var/akeyless/conf/api-proxy/akeyless-api-cert.crt
  • -v $PWD/key.pem:/var/akeyless/conf/api-proxy/akeyless-api-cert.key

Configuring the Cache with Environment Variables

Environment Variable

Allowed Values


This variable enables Gateway caching.



This variable enables Proactive caching.



This variable sets the amount of time (in minutes) during which a secret should be kept in the cache. The secret is deleted from the cache at the end of this period.



This variable instructs the system to update secrets in the cache if they are older than the specified value.



This variable sets the amount of time (in minutes) between the two consecutive backups of cached secrets.


Did this page help you?