All required configuration is set via environment variables - either directly in the execution environment when running the tools, or as entries in a .env file. Environment variables take precedence over .env entries.
Configuration variables are as follows:
| Name | Description | Example |
|---|---|---|
| TENANT_BASE_URL | ForgeRock Identity Cloud URL | https://openam-demo-euw1-dev.id.forgerock.io |
| HTTP_PROXY_SERVER | Proxy server URL. If set, all requests are routed through this proxy. Note that if your proxy server uses a TLS certificate issued from a private CA, you need to enable trust via the environment variable NODE_EXTRA_CA_CERTS=/path/to/ca.pem. |
https://proxy.local:8443 |
| TENANT_READONLY | Set to true to prevent config push via the fr-config-push command (or any other tool which uses this flag). This will cause the fr-config-push command to return an error and exit immediately |
false |
| ALLOWED_PUSH_COMMANDS | A list of COMMANDS which are allowed for push, specified as a JSON encoded array of strings. If set, then only the specified commands are permitted; otherwise the fr-config-push <command> will return an error and exit immediately. |
["endpoints","test"] |
| PUSH_NAMED_ONLY | Set to true to prevent config push via the fr-config-push command without using the --name option. If the --name option is not used, the fr-config-push command returnes an error and exits immediately. This is to prevent accidental overwriting of configuration. |
false |
| CONFIG_DIR | Directory containing the configuration to be pushed/pulled. May be absolute path or relative to working directory | identity-cloud-config |
| REALMS | List of realms for configuration push/pull, expressed as a JSON encoded array of strings. | ["alpha","bravo"] |
| SCRIPT_PREFIXES | List of prefixes for retrieving scripts. Only scripts with names beginning with these prefixes will be pulled from the tenant configuration. If an empty array is specified - i.e. [] - then all scripts are pulled. This can be used to avoid pushing/pulling default system scripts. Note that this option is ignored by the push tool, which pushes all script configuration present in the local file system. |
["acme-corp-","widget-"] |
| SERVICE_ACCOUNT_ID | Identity Cloud service account ID | d9d3922b-0e77-4589-b86e-1a1446712fdf |
| SERVICE_ACCOUNT_CLIENT_ID | Tenant wide OAuth2 client ID for the service account. Normally fixed as service-account |
service-account |
| SERVICE_ACCOUNT_SCOPE | OAuth2 scopes to request when acquiring an access token for the push/pull, expressed as a space delimited list of scopes. The scopes required will depend on whether performing push or pull, and which areas of tenant config to push/pull | fr:idm:* fr:am:* fr:idc:esv:* |
| SERVICE_ACCOUNT_KEY | The service account private key, expressed either as a JWK (as downloaded from the Identity Cloud admin UI) or as a PEM encoded private key. | Refer to .env.sample file for examples of JWK and PEM encoded private keys |
| OAUTH2_AGENTS_CONFIG | The file path for the JSON file containing details of OAuth2 agents to pull from the Identity Cloud tenant. This is used by the fr-config-pull oauth2-agents command for system clients present in all environments. Note that this config is ignored by the fr-config-push oauth2-agents command: all agents contained in the realm-config/agents directory for each realm are pushed to the target tenant. Refer to agents configuration for details of the file format. |
pull-config/oauth2-agents.json |
| AUTHZ_POLICY_SETS_CONFIG | The file path for the JSON file containing details of authorisation policy sets to pull from the Identity Cloud tenant. This is used by the fr-config-pull authz-policies command to selectively export policy sets. Note that this config is ignored by the fr-config-push authz-policies command: the tool will push all policy sets contained in the realm-config/authorization/policy-sets directory for each realm. Refer to policy configuration for details of the file format. |
pull-config/authz-policies.json |
| SERVICE_OBJECTS_CONFIG | The file path for the JSON file containing details of managed objects to pull from the Identity Cloud tenant. This is used by the fr-config-pull service-objects command to selectively export managed users, roles etc. Note that this config is ignored by the fr-config-push service-objects command: the tool will push all managed objects contained in the service-objects directory. Refer to the service objects configuration for details of the file format. |
pull-config/service-objects.json |
| RAW_CONFIG | The file path for the JSON file containing details of individual configuration objects to pull from the Identity Cloud tenant. This is used by the fr-config-pull raw command to selectively export config by path. Note that this config is ignored by the fr-config-push raw command: the tool will push all configuration files contained in the raw directory. Refer to raw configuration for details of the file format. |
pull-config/raw-config.json |
| ACTIVE_ONLY_SECRETS | Set to true to make active secret pull the default - i.e. equivalent to fr-config-pull secrets --active-only. It is recommended to pull active secrets only, unless multiple version management is specifically required. |
true |