Advanced Settings
Configuration settings and features on Automator
Overview
The settings in this document control the features and security of the Automator service.
Setting: automator_debug
automator_debugEnv Variable: AUTOMATOR_DEBUG
Description: This is an easier way to turn on/off debug logging in Automator.
Setting: automator_config_key
automator_config_keyEnv Variable: AUTOMATOR_CONFIG_KEY
Default: Empty
Description: Base64-url-encoded 256-bit AES key. This is normally only used as an environment variable. (since v3.1.0). This setting is required to load the encrypted configuration from the Keeper cloud if there is no shared /usr/mybin/config file storage between container instances.
Setting: automator_host
automator_hostEnv Variable: AUTOMATOR_HOST
Default: localhost
Description: The hostname or IP address where the Automator service is listening locally. If SSL is enabled (ssl_mode parameter), the automator_host value needs to match the SSL certificate subject name. The setting disable_sni_check can be set to false if the subject name does not match.
If the service is running on a machine with multiple network IPs, this setting will bind the Automator service to the specified IP.
Setting: automator_port
automator_portEnv Variable: AUTOMATOR_PORT
Default: 8089
Description: The port where the Automator listens. If running in Docker, use the default 8089.
Setting: disable_sni_check
disable_sni_checkEnv Variable: DISABLE_SNI_CHECK
Default: false
Description: Disable the SNI check against the certificate subject name, if SSL is being used.
Setting: email_domains
email_domainsEnv Variable: EMAIL_DOMAINS
Default: null
Description: A comma-separated list of user email domains for which Automator will approve devices or teams. Example: "example.com, test.com, mydomain.com". This depends on the filter_by_email_domains setting to be enabled as well.
Setting: filter_by_email_domains
filter_by_email_domainsEnv Variable: FILTER_BY_EMAIL_DOMAINS
Description: If true, Keeper will consult the email_domains list. If false, the email_domains list will be ignored.
Setting: enabled
enabledEnv Variable: N/A
Default: false
Description: This determines if Automator is enabled or disabled.
Setting: enable_rate_limits
enable_rate_limitsEnv Variable: ENABLE_RATE_LIMITS
Default: false
Description: If true, Automator will rate limit incoming calls per the following schedule:
approve_device: 100 calls/minute with bursts to 200
approve_teams_for_user: 100 calls/minute with bursts to 200
full_reset: 4 per minute, with bursts to 6
health: 4 per minute
initialize: 4 per minute, with bursts to 6
setup: 4 per minute, with bursts to 6
status: 5 per minute
Setting: ip_allow and ip_deny
ip_allow and ip_denyEnv Variable: IP_ALLOW and IP_DENY
Default: ""
Description: This restriction allows users to be eligible for automatic approval. Users accepted by the IP restriction filter still need to be approved in the usual way by Automator. Users denied by the IP restriction filter will not be automatically approved.
If "ip_allow" is empty, all IP addresses are allowed except those listed in the "ip_deny" list. If used, devices at IP addresses outside the allowed range are not approved by Automator. The values are a comma-separated list of single IP addresses or IP ranges. The "ip_allow" list is checked first, then the "ip_deny" list is checked.
Example 1: ip_allow=
ip_deny=
Example 2:
ip_allow=10.10.1.1-10.10.1.255, 172.58.31.3, 175.200.1.10-175.200.1.20
ip_deny=10.10.1.25
Setting: name
nameEnv Variable: N/A
Default: Automator-1
Description: The name of the Automator. It should be unique inside an Enterprise. An automator can be referenced by its name or by its ID.
Setting: persist_state
persist_stateEnv Variable: N/A
Default: true
Description: If true, the Automator state will be preserved across shutdowns. Leave this on.
Setting: skill
skillEnv Variable: N/A
Default: device_approval
Description: “device_approval” means device approval. “team_for_user_approval” means team approvals. An Automator can have multiple skills. “device_approval” is the default.
Setting: ssl_certificate
ssl_certificateEnv Variable: SSL_CERTIFICATE
Default: null
Description: A Base64-encoded string containing the contents of the PFX file used for the SSL certificate. For example, on UNIX base64 -i my-certificate.pfx will produce the required value.
Using this environment variable will override the ssl_certificate_filename setting.
Setting: ssl_certificate_file_password
ssl_certificate_file_passwordEnv Variable: SSL_CERTIFICATE_PASSWORD
Default: ""
Description: The password on the SSL file. If used, the key password should be empty, or should be the same. The library we use does not allow different passwords.
Setting: ssl_certificate_key_password
ssl_certificate_key_passwordEnv Variable: SSL_CERTIFICATE_KEY_PASSWORD
Default: ""
Description: The password on the private key inside the SSL file. This should be empty or the same as the file password.
Setting: ssl_mode
ssl_modeEnv Variable: SSL_MODE
Default: certificate
Description: The method of communication on the Automator service. This can be: certificate, self_signed, or none. If none, the Automator server will use HTTP instead of HTTPS. This may be acceptable when Automator is hosted under a load balancer that decrypts SSL traffic.
Setting: url
urlEnv Variable: N/A
Default: ""
Description: The URL where the Automator can be contacted.
Last updated