-
Notifications
You must be signed in to change notification settings - Fork 23
/
mozilla-cis.ini.dist
51 lines (41 loc) · 2.19 KB
/
mozilla-cis.ini.dist
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
# Mozilla-IAM template for configuration of the Mozilla Change Integration Service
[cis]
# Is the environment running locally, production, staging, or test.
environment=local
# AssumeRole arn is required even locally. Use a dummy fixture if you do not have a role setup.
assume_role_arn=arn:aws:iam::123456789000:role/demo-assume-role
# Set these parameters if you are running locally.
# dynalite_host=localhost
# dynalite_port=4567
# kinesalite_host=localhost
# kinesalite_port=4568
# Fake Well Known Endpoint Options
oidc_discovery_uri='https://auth.mozilla.com/.well-known/openid-configuration'
person_api_endpoint='https://person-api.sso.mozilla.com'
profile_schema_combined_uri='https://person-api.sso.mozilla.com/schema/v2/profile'
profile_core_schema_uri='https://person-api.sso.mozilla.com/schema/v2/profile/core'
profile_extended_schema_uri='https://person-api.sso.mozilla.com/schema/v2/profile/extended'
access_file_endpoint='https://cdn.sso.mozilla.com/apps.yml'
fake_jwks_key_path='/tmp/keys'
# Cryptography Settings for sign-verify operations
secret_manager=file # Can be file or aws-ssm
secret_manager_file_path=/etc/mozilla-iam/keys/ # required if secret manager is file must be absolute path
cis_well_known_mode=file # Can also be http if you want to use the well known endpoint above.
cis_public_key_name=fake-access-file-key # Optional for use with file mode only.
cis_strict_verification=False #Returns the name of the publisher who signed the content. For use in processors.
## AWS Specific Secret Manager Settings
secret_manager_ssm_path=/iam
secret_manager_ssm_region=us-west-2
# give the name of the key without file extension that you would like to sign assertions with
signing_key_name=fake-access-file-key
# Publisher Settings
publisher_id=fakemozilliansorg
kinesis_stream_name=local-stream
stream_bypass=false # For use in development only for bypassing stream processors
jwt_validation=true # For use in development where you may not have access to auth0 or a mocker
seed_api_data=true # Set this to populate the identity vault with users on person api spin up
[person_api]
environment=local
jwt_validation=false
initialize_vault=true # Set this if you want to pre-create the vault on init
graphiql=false