Environment Variables
The StrongDM command line recognizes environment variables to control and modify its functionality. This document details the available environment variables and their function.
Environment variables can be set on a StrongDM systemd service by adding to the environment file:
For service accounts, it is usually located at
/etc/sysconfig/sdm.For gateways and relays, it is usually located at
/etc/sysconfig/sdm-proxy.For bridge and proxy workers, it is usually located at
/etc/sysconfig/sdm-worker.
SDM_APP_DOMAIN
app.strongdm.com
Address of the control plane.
SDM_ADMIN_TOKEN
<JWT_TOKEN>
An admin token or service account token to use for sdm authentication; if set, this token is used by StrongDM and there is no need to log in via the CLI or desktop app
SDM_EMAIL
If set, the specified email address is used automatically when using the sdm login command in the CLI
SDM_FALLBACK_DNS
<DNS_ADDRESS>:<PORT>
DNS address to use as a fallback if a call to app.strongdm.com fails; defaults to 1.1.1.1:53 and can be set to 0 to disable fallback
SDM_HOME
/path/to/home
The location where sdm places its logs and keys; defaults to ~/.sdm; must be writable by the user running sdm
SDM_HTTP_PROXY
http://example.example.com:8080
The HTTP proxy URL to use in corporate environments where outbound traffic must pass through a proxy
SDM_HTTPS_PROXY
https://example.example.com:8080
The HTTPS proxy URL to use in corporate environments where outbound traffic must pass through a proxy
SDM_VERBOSE
true|false
If set, log verbosity is set to high for troubleshooting purposes
SDM_DISABLE_UPDATE
true|false
If set to true, disables auto-updates.
SDM_DOCKERIZED
true
false
stderr
If true, logs go to STDOUT rather than sdm.log for Docker or Kubernetes deployments or for troubleshooting purposes; if stderr, logs go to STDERR
Variables Only for Gateways, Relays, and Proxy Clusters
The following variables are only for use with gateways, relays, proxy workers, and bridge workers.
SDM_HOSTNAME_CURL_ADDRESS
URI
If set within the StrongDM Gateway AMI in the userdata field at instance launch, the gateway reaches out to the specified address to determine its public hostname instead of the default AWS address
SDM_MAINTENANCE_WINDOW_START
integer
If set, schedules the hour of the day (0 to 23 UTC) when gateways and relays can terminate connections and restart (default: 7)
SDM_METRICS_LISTEN_ADDRESS
:port
If set in the gateway or relay's environment on port 9999, enables the gateway or relay to listen for metrics on the specified port
SDM_ORCHESTRATOR_PROBES
:port
If set, enables the http://<GATEWAY OR RELAY IP>:port/liveness URL to check whether the gateway or relay is in good health
SDM_RELAY_LOG_ENCRYPTION
plaintext
pubkey:///pubkeyfullpath/file.pem
Overrides relay log encryption settings configured in the Admin UI
SDM_RELAY_LOG_FORMAT
csv
json
Overrides relay log format settings configured in the Admin UI
SDM_RELAY_LOG_STORAGE
stdout
file
none
tcp://host:port
socket:///fullpath/
syslog://host:port
Overrides relay log storage settings configured in the Admin UI
Variables Only for Gateways and Relays
SDM_RELAY_TOKEN
<JWT_TOKEN>
A gateway or relay token to use when invoking the sdm binary; normally not needed as this is entered when installing the gateway or relay
Variables Only for Proxy Clusters
SDM_PROXY_CLUSTER_ACCESS_KEY
pk-xxxxx
ID of the proxy cluster key used to authenticate to the control plane
SDM_PROXY_CLUSTER_SECRET_KEY
(base64)
Secret portion of the proxy cluster key used to authenticate to the control plane
SDM_BRIDGE
local or example.com:port
When set to local, instructs the worker to run as a bridge worker; when set to an address, instructs the worker to connect to a bridge at that address
Last updated
Was this helpful?