/
example_config_base.yaml
212 lines (187 loc) · 8.5 KB
/
example_config_base.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
# Warning: The following configuration file is an example, and it is insecure by default. Please carefully
# review and change values accordingly before deploying to a production environment. You are responsible
# for your deployment.
# Enter your team's e-mail address here. This e-mail will be used as the default approvers of IAM policy requests
application_admin: consoleme_admins@example.com
# These are the tornado settings. Set `debug` to false in production.
tornado:
debug: true
port: 8081
xsrf: true
xsrf_cookie_kwargs:
samesite: strict
# ConsoleMe needs to know about your AWS accounts. ConsoleMe can retrieve a list of your accounts from the following
# sources:
# 1) Your local configuration file (See the account_ids_to_name key below)
# 2) AWS Organizations (See the cache_accounts_from_aws_organizations key below)
# 3) Swag ( https://github.com/Netflix-Skunkworks/swag-api) (See the retrieve_accounts_from_swag key below)
# 4) Your current AWS credentials. If you do not configure any sources to retrieve information about your AWS accounts,
# ConsoleMe will use the current credentials and attempt to determine account information. If Celery tasks are ran,
# ConsoleMe will attempt to sync resources from this account.
#account_ids_to_name:
# "123456789012": default_account
# "123456789013": prod
# "123456789014": test
# ConsoleMe can cache account, org structure, and SCPs from AWS Organizations in one or more accounts
#cache_accounts_from_aws_organizations:
# # This is the account ID of your AWS organizations master
# - organizations_master_account_id: "123456789012"
# # This is the name of the role that consoleme will attempt to assume on your Organizations master account to retrieve
# # account information. Ensure that ConsoleMe can assume this role, and that this role has the permissions:
# # organizations:DescribeAccount
# # organizations:DescribeOrganizationalUnit
# # organizations:DescribePolicy
# # organizations:ListAccounts
# # organizations:ListChildren
# # organizations:ListPolicies
# # organizations:ListRoots
# # organizations:ListTargetsForPolicy
# organizations_master_role_to_assume: "ConsoleMe"
#retrieve_accounts_from_swag:
# base_url: 'https://your_swag_url/'
# The `cloud_credential_authorization_mapping` configuration is where you would define the IAM role tags that dictate
# which users/groups are authorized to access the role. The tag keys are defined below.
# The tag values should be set to a colon-delimited list of users or groups (Commas are not valid in tag values).
# Users/groups defined in the `authorized_groups_tags` tag can retrieve credentials from ConsoleMe either via the CLI
# or the web interface. Users/groups defined in the `authorized_groups_cli_only_tags` tag can only retreive credentials
# via the CLI, and will not see the roles in ConsoleMe's UI. This is useful to keep the UI uncluttered.
# Example IAM role tags:
# consoleme-authorized=user1@example.com:group2@example.com
# consoleme-owner-dl=appowner@example.com
# consoleme-authorized-cli-only=group3@example.com
cloud_credential_authorization_mapping:
role_tags:
enabled: true
authorized_groups_tags:
- consoleme-authorized
authorized_groups_cli_only_tags:
- consoleme-owner-dl
- consoleme-authorized-cli-only
aws:
issuer: YourCompany
region: "us-east-1"
celery:
# Some jobs should only run in one region. The `active_region` key should define your primary region.
active_region: us-west-2
# If you want to retrieve credentials through mutual TLS, you'll need to use something fronting ConsoleMe to do the
# certificate validation. It should pass down a "Success" header, and a header with the certificate. You'll need to
# implement your own certificate parsing logic.
# Refer to consoleme/default_plugins/plugins/auth/auth.py
cli_auth:
certificate_header: certificate_header
required_headers:
- RequiredMTLSHeader: RequiredMTLSHeaderValue
# This is where you can define groups that can modify ConsoleMe's dynamic configuration and administer
# IAM/S3/SQS/SNS policies.
groups:
can_edit_config:
- configeditors@example.com
can_admin_policies:
- consoleme_admins@example.com
jwt:
email_key: email
#groups:
# can_admin:
# - admin@example.com
# can_admin_policies:
# - admin@example.com
# developement_notification_emails:
# - developer@example.com
# can_edit_config:
# - configeditors@example.com
# can_edit_policies:
# - policyeditors@example.com
# You can define support contact information and custom documentation here. This information is displayed in ConsoleMe's
# sidebar.
support_contact: consoleme-support@example.com
support_chat_url: https://www.example.com/slack/channel
documentation_page: https://github.com/Netflix/consoleme/
# If you wish to override the entry-points to any of the default plugins with your own
# plugin set that you `pip install`ed into ConsoleMe, you can modify this configuration to point to the applicable
# entry point
#plugins:
# auth: default_auth
# aws: default_aws
# group_mapping: default_group_mapping
# internal_celery_tasks: default_celery_tasks
# metrics: default_metrics
# internal_config: config
# internal_routes: default_internal_routes
# internal_policies: default_policies
logging_levels:
asyncio: WARNING
boto3: CRITICAL
boto: CRITICAL
botocore: CRITICAL
elasticsearch.trace: ERROR
elasticsearch: ERROR
nose: CRITICAL
parso.python.diff: WARNING
s3transfer: CRITICAL
spectator.HttpClient: WARNING
spectator.Registry: WARNING
urllib3: ERROR
#policies:
# role_name: ConsoleMeRole
#sso:
# enabled: true
# jwk_url: https://provider.example.com/ext/oauth/something/jwks
# jwk_schema:
# header:
# alg:
# enum:
# - RS512
# payload:
# iss:
# enum:
# - https://provider.example.com
# Note: Do not put anything sensitive in the self_service_iam key. This will be exposed to the frontend UI
#self_service_iam:
# Reference the default values provided in consoleme/lib/defaults.py as SELF_SERVICE_IAM_DEFAULTS
# In your deployment, you'll probably want to move these to Dynamic Configuration at
# https://YOUR_CONSOLEME_DOMAIN/config
#permission_templates:
# Reference the default values provided in consoleme/lib/defaults.py as PERMISSION_TEMPLATE_DEFAULTS
# SES configuration is necessary for ConsoleMe to send e-mails to your users. ConsoleMe sends e-mails to notify
# administrators and requesters about policy requests applicable to them.
ses:
support_reference: "Please contact us at consoleme@example.com if you have any questions or concerns."
arn: "arn:aws:ses:us-east-1:123456789012:identity/example.com"
region: "us-west-2"
consoleme:
name: ConsoleMe
sender: consoleme_test@example.com
# Challenge URL authentication is used to authenticate users from CLI clients (like Weep).
challenge_url:
enabled: true
# This section specifies which roles consoleme is allowed to pull, cache & display. There may still be workarounds via
# cURL to create requests directly against consoleme. If you have to block cURL requests for requests against specific
# roles, it's probably best to enforce IAM permissions for consoleme to only modify specific roles. You should only
# need one or the other parameter defined below
# Parameters:
# allowed_tags: map[string]string: if non-empty, consoleme will only consider roles tags mapped here
# allowed_arns: list[string]: if non-empty, consoleme will only consider the role arns in this list
# allowed_tag_keys: list[string]: if non-empty, consoleme will only consider roles with a tag key mapped here
# roles:
# allowed_tags: {}
# allowed_arns: []
# allows_tag_keys: []
# This section provides an opt-out for caching in the policies table on the /policies page. You can
# opt-out of each resource type that's typically cached. By default, nothing is skipped; everything
# pulled and cached.
# cache_policies_table_details:
# skip_iam_roles: false
# skip_iam_users: false
# skip_s3_buckets: false
# skip_sns_topics: false
# skip_sqs_queues: false
# skip_managed_policies: false
# skip_aws_config_resources: false
# If you have read this far and modified the above config variables to production ready values
# remove the below config variable, or switch it to false
example_config:
is_example_config: true
title: "Warning:"
text: |-
This configuration has no authentication configured. Do not use in a production environment. Do not publicly expose this endpoint or your AWS environment will be compromised! Click [here](/generate_config) to generate a configuration.
routes: .*