Shared Secret File
Summary
Shared Secret File is the location of a file containing the base64-encoded, 256-bit key used to mutually authenticate requests between services. It's critical that secret keys are random, and stored safely.
How to configure
- Core
- Enterprise
- Kubernetes
| Config file keys | Environment variables | Type | Usage |
|---|---|---|---|
shared_secret_file | SHARED_SECRET_FILE | string | required (unless using [shared_secret]) |
Pomerium Core configurations do not require a shared_secret or shared_secret_file. You only need to include a shared secret if you are running the Console.
If you are connecting to the Console, your Pomerium Core and Console configurations require the same shared secret.
See the Enterprise Quickstart for an example implementation.
Examples
shared_secret_file points to a file containing the secret. This is useful when deploying in environments that provide secret management like Docker Swarm.
To generate a key, run the following command:
head -c32 /dev/urandom | base64
Place the value in your shared_secret_file:
shared_secret_file: '/run/secrets/POMERIUM_SHARED_SECRET'
If you adjust your shared secret and/or how it's accessed by Pomerium, you may create a secret mismatch.
shared_secret_file is a bootstrap configuration setting and is not configurable in the Console.
| Name |
|---|
secrets.shared_secret |
See Kubernetes bootstrap secrets for more information.