Configuration
JITSudo is configured entirely through environment variables. The server and worker share a base configuration, with each adding process-specific settings.
Shared Configuration
Section titled “Shared Configuration”These variables apply to both the API server and worker:
| Variable | Description | Default | Required |
|---|---|---|---|
DATABASE_URL | PostgreSQL connection string | — | Yes |
LOG_LEVEL | Log level: debug, info, warn, error | info | No |
AWS_REGION | AWS region for SDK calls | us-east-1 | No |
OIDC_ISSUER_URL | OIDC provider discovery URL | — | No |
OIDC_CLIENT_ID | OAuth2 client ID | — | No |
OIDC_CLIENT_SECRET | OAuth2 client secret | — | No |
OIDC_REDIRECT_URI | Callback URL registered with IdP | — | No |
OIDC_GROUPS_CLAIM | ID token claim containing group memberships | groups | No |
OIDC_TENANT_CLAIM | ID token claim containing tenant UUID | tenant_id | No |
JWT_SECRET | HMAC-SHA256 signing secret for system JWTs | — | Yes |
JWT_TTL | Lifetime of issued JWTs (Go duration string) | 1h | No |
IC_INSTANCE_ARN | ARN of IAM Identity Center instance | — | No |
Server-Specific
Section titled “Server-Specific”| Variable | Description | Default |
|---|---|---|
SERVER_PORT | TCP port for HTTP server | 8080 |
Worker-Specific
Section titled “Worker-Specific”| Variable | Description | Default |
|---|---|---|
WORKER_CONCURRENCY | Number of concurrent job processors | 5 |
RECONCILIATION_INTERVAL | How often drift reconciliation runs (Go duration string) | 30s |
IC_INSTANCE_ARN | ARN of IAM Identity Center instance | Required |
Authentication
Section titled “Authentication”JITSudo supports two authentication methods:
- OIDC + JWT — for web UI users. Configure
OIDC_ISSUER_URL,OIDC_CLIENT_ID, andOIDC_CLIENT_SECRET. The server exchanges OIDC authorization codes for system-issued JWTs signed withJWT_SECRET. - API Key — for admin automation. API keys are created per-tenant via the API and passed in the
X-API-Keyheader.
See Authentication & OIDC for detailed setup.
Multi-Tenancy
Section titled “Multi-Tenancy”All API requests (except /healthz) require a X-Tenant-ID header with a valid tenant UUID. The web UI handles this automatically based on the authenticated user’s tenant claim.
See Multi-Tenancy for details.
Example
Section titled “Example”Minimal .env for local development:
DATABASE_URL=postgres://jitsudo:jitsudo@localhost:5432/jitsudo?sslmode=disableJWT_SECRET=change-me-in-productionOIDC_ISSUER_URL=http://localhost:5556/dexOIDC_CLIENT_ID=jitsudo-localOIDC_CLIENT_SECRET=local-secretLOG_LEVEL=debugSERVER_PORT=8080