Gateway Environment Variables

-d, --debug

KEEPER_GATEWAY_LOG_LEVEL

info

Sets logging level. Valid values: debug, info, warning, error, critical

--verbose

KEEPER_GATEWAY_VERBOSE

Enable verbose logging

--log-file

KEEPER_GATEWAY_LOG_FILE

Generated based on timestamp

Specifies the log file path

--log-folder

KEEPER_GATEWAY_LOG_FOLDER

~/.keeper/logs or /var/log/keeper-gateway for service

Specifies the log folder location

--config-file, -c

GATEWAY_CONFIG_PATH

~/.keeper/gateway-config.json

Path to the gateway configuration file

N/A

GATEWAY_CONFIG

None

Base64 encoded configuration string

--aws-kms-secret-name

AWS_KMS_SECRET_NAME

None

AWS KMS secret name for configuration

N/A

VERIFY_SSL

TRUE

Whether to verify SSL certificates

N/A

KRELAY_SERVER

Auto-detected from config

Override the TURN/STUN relay server

N/A

INSECURE_DEBUG

False

Show passwords in logs

--show-cmds

KEEPER_GATEWAY_SHOW_CMDS

False

Show commands being executed

--max-workers, -w

KEEPER_GATEWAY_MAX_WORKERS

1 for process pool, 10 for thread pool

Number of worker processes/threads

--log-to-stdout

KEEPER_GATEWAY_LOG_TO_STDOUT

False

Output logs to stdout instead of file

N/A

GUACD_HOST

127.0.0.1

Host for guacd service

N/A

GUACD_PORT

4822

Port for guacd service

N/A

GUACD_PATH

pyguacd (Windows) or /opt/keeper/sbin/guacd (Linux)

Path to guacd executable

--tunnel-only-use-turn

KEEPER_GATEWAY_TUNNEL_ONLY_USE_TURN

False

Force use of TURN relay only

N/A

RECORDING_PATH

/recording_pipes

Path for session recordings (removed after session ends)

N/A

TYPE_SCRIPT_RECORDING_PATH

/recording_pipes

Path for typescript recordings (removed after session ends)

N/A

KEEPER_GATEWAY_CVE_SECURITY_CHECKS

false

Enable CVE security checks during initialization

N/A

KEEPER_GATEWAY_USE_GUACR

false

Use Guacamole recording (guacr) instead of standard

KEEPER_GATEWAY_SET_LOCAL_DESCRIPTION_TIMEOUT

15s

Time to set local description in WebRTC

KEEPER_GATEWAY_OPEN_CONNECTION_TIMEOUT

60s

Time to wait for connection establishment

KEEPER_GATEWAY_CREATE_ANSWER_TIMEOUT

30s

Time to create peer ICE answer

KEEPER_GATEWAY_READ_TIMEOUT

15s

Time to wait for data from data channel

KEEPER_GATEWAY_NON_PARED_READ_TIMEOUT

5s

Time to wait for data before paring

KEEPER_GATEWAY_CLOSE_CONNECTION_TIMEOUT

5s

Time to wait for connection closure

KEEPER_GATEWAY_TEST_CONNECTION_TIMEOUT

5s

Time to wait for test connection

KEEPER_GATEWAY_ABRUPT_DISCONNECTION_TIMEOUT

3s

Time to detect abrupt disconnection

KEEPER_GATEWAY_FORCE_CLOSE_TIMEOUT

6s

Time to force close connection

KEEPER_GATEWAY_RUST_CLEANUP_TIMEOUT

5s

Time for Rust cleanup operations

KEEPER_GATEWAY_ACCEPT_OFFER_TIMEOUT

calculated

Time to accept WebRTC offer (create_answer + set_local_description + 10)

KEEPER_GATEWAY_RECORDINGS_PATH_TIMEOUT

20s

Time to create recording path

KEEPER_GATEWAY_GUACD_RECEIVE_TIMEOUT

15s

Time to receive from Guacamole daemon

KEEPER_GATEWAY_DATA_CHANNEL_TIMEOUT

5s

Time for data channel send

KEEPER_GATEWAY_CONNECTION_ESTABLISHMENT_TIMEOUT

15s

Time to establish connection

KEEPER_GATEWAY_JIT_ACCOUNT_CREATION_TIMEOUT

90s

Time for JIT ephemeral user creation

KEEPER_GATEWAY_RECORDINGS_PATH_EPHEMERAL_TIMEOUT

60s

Time for ephemeral recording path setup

KEEPER_GATEWAY_BACKEND_FLUSH_TIMEOUT_MS

50ms

Maximum time to wait for backend flush() to complete

KEEPER_GATEWAY_MAX_FLUSH_FAILURES

5

Number of consecutive flush failures before closing connection

KEEPER_GATEWAY_CHANNEL_SHUTDOWN_GRACE_MS

100ms

Grace period before signaling channels to exit during tube close

KEEPER_GATEWAY_DATA_CHANNEL_CLOSE_TIMEOUT_SECS

3s

Timeout for data channel close operation

KEEPER_GATEWAY_PEER_CONNECTION_CLOSE_TIMEOUT_SECS

5s

Timeout for peer connection close operation

KEEPER_GATEWAY_DISCONNECT_TO_EOF_DELAY_MS

100ms

Delay between disconnect message and EOF in Drop cleanup

KEEPER_GATEWAY_ICE_GATHER_TIMEOUT_SECS

30s

ICE gathering timeout for initial connection

KEEPER_GATEWAY_ICE_RESTART_ANSWER_TIMEOUT_SECS

10s

Timeout waiting for ICE restart answer from remote peer

KEEPER_GATEWAY_ICE_DISCONNECTED_WAIT_SECS

2s

Wait time after ICE disconnected before triggering restart

KEEPER_GATEWAY_ACTIVITY_TIMEOUT_SECS

120s

Inactivity duration before considering ICE restart

KEEPER_GATEWAY_STALE_TUBE_SWEEP_INTERVAL_SECS

300s

How often stale tube sweeper runs

KEEPER_GATEWAY_MAX_CONCURRENT_CREATES

100

Maximum concurrent tube creations allowed

KEEPER_GATEWAY_ROUTER_HTTP_TIMEOUT_SECS

5s

HTTP timeout for router API calls

KEEPER_GATEWAY_TUBE_CREATION_TIMEOUT_SECS

15s

Total timeout for tube creation

KEEPER_GATEWAY_ROUTER_CIRCUIT_BREAKER_COOLDOWN_SECS

60s

Circuit breaker cooldown after router failures

KEEPER_GATEWAY_ROUTER_CIRCUIT_BREAKER_THRESHOLD

3

Number of consecutive router failures before opening circuit breaker

KEEPER_GATEWAY_INCLUDE_WEBRTC_LOGS

false

Include WebRTC library logs (very verbose). Set to "1" or "true" to enable

KPAM_ROUTER_HOST

Derived from KSM config

Router hostname override

KEEPER_GATEWAY_HEALTH_CHECK_ENABLED

false

Enable health check server

KEEPER_GATEWAY_HEALTH_CHECK_HOST

127.0.0.1

Health check server bind address

KEEPER_GATEWAY_HEALTH_CHECK_PORT

8099

Health check server port

KEEPER_GATEWAY_HEALTH_CHECK_USE_SSL

false

Enable SSL for health check

KEEPER_GATEWAY_HEALTH_CHECK_SSL_CERT

None

Path to SSL certificate

KEEPER_GATEWAY_SSL_KEY

None

Path to SSL private key

KEEPER_GATEWAY_HEALTH_CHECK_AUTH_TOKEN

None

Authentication token for health check API

Environment Variable

Default

Purpose

KEEPER_GATEWAY_RESOURCE_CHECK_ENABLED

true

Enable resource checking to prevent starvation

KEEPER_GATEWAY_MIN_HEADROOM_PERCENT

15

Minimum memory headroom percentage to maintain

KEEPER_GATEWAY_CHECK_RBI_CAPACITY

true

Check if RBI session can fit in available resources

KEEPER_GATEWAY_HTTP_RAM_MB

800

RAM requirement for RBI/HTTP connections (MB)

KEEPER_GATEWAY_RDP_RAM_MB

75

RAM requirement for RDP connections (MB)

KEEPER_GATEWAY_VNC_RAM_MB

65

RAM requirement for VNC connections (MB)

KEEPER_GATEWAY_SSH_RAM_MB

70

RAM requirement for SSH connections (MB)

KEEPER_GATEWAY_MYSQL_RAM_MB

35

RAM requirement for MySQL connections (MB)

KEEPER_GATEWAY_POSTGRESQL_RAM_MB

35

RAM requirement for PostgreSQL connections (MB)

KEEPER_GATEWAY_SQLSERVER_RAM_MB

35

RAM requirement for SQL Server connections (MB)

KEEPER_GATEWAY_KUBERNETES_RAM_MB

70

RAM requirement for Kubernetes connections (MB)

KEEPER_GATEWAY_TELNET_RAM_MB

50

RAM requirement for Telnet connections (MB)

KEEPER_GATEWAY_TUNNEL_RAM_MB

35

RAM requirement for tunnel/port forwarding (MB)

KEEPER_RBI_PROFILE_STORAGE_PATH

/opt/keeper/gateway/rbi-profiles

Directory for browser session persistence profiles

KEEPER_GATEWAY_AI_LLM_PROVIDER

openai-generic

AI LLM provider (aws-bedrock, anthropic, google-ai, vertex-ai, openai, azure-openai, openai-generic)

KEEPER_GATEWAY_AI_MODEL

None (required)

AI model name/identifier

KEEPER_GATEWAY_AI_API_KEY

None (required)

API key for AI provider

KEEPER_GATEWAY_AI_BASE_URL

None (optional)

Base URL for AI provider API

KEEPER_GATEWAY_AI_API_VERSION

None (required for Azure)

API version for Azure OpenAI

KEEPER_GATEWAY_AI_RISK_LEVEL_SOURCE

None

Source for risk level classification

RISK_CLASSIFIER_MODEL_DIR

None

Directory containing risk classifier model

KEEPER_GATEWAY_SENTRY_API_KEY

None

API key for Sentry threat detection

KEEPER_GATEWAY_SENTRY_BASE_URL

None

Base URL for Sentry service

KEEPER_GATEWAY_SENTRY_MODEL

None

Model identifier for Sentry

AWS_REGION

None (required)

AWS region for Bedrock

AWS_PROFILE

None (optional)

AWS profile for credentials

AWS_ACCESS_KEY_ID

None (optional)

AWS access key

AWS_SECRET_ACCESS_KEY

None (optional)

AWS secret access key

AWS_SESSION_TOKEN

None (optional)

AWS session token

OPENAI_API_KEY

OpenAI

Alternative to KEEPER_GATEWAY_AI_API_KEY

ANTHROPIC_API_KEY

Anthropic

Alternative to KEEPER_GATEWAY_AI_API_KEY

AZURE_OPENAI_API_KEY

Azure OpenAI

Alternative to KEEPER_GATEWAY_AI_API_KEY

GOOGLE_API_KEY

Google AI

Alternative to KEEPER_GATEWAY_AI_API_KEY

LOG_ENGINE

"default"

Specifies the logging engine to use

LOG_SHOW_STACKTRACE

FALSE

When TRUE, displays full Python stack traces in logs

LOG_SHOW_LINE_NO

FALSE

When TRUE, shows line numbers in log output

LOG_TO_FILE

None

File path where logs should be written

LOG_USAGE_SEC

0

Memory usage logging interval in seconds (0 = disabled)

USE_LOCAL_SM

FALSE

When TRUE, uses local SQLite database instead of KSM server

LOCAL_KSM_DEBUG

FALSE

Enables debug logging for local secrets manager

LOCAL_SM_DB_FILE

None

Path to specific SQLite database file for local secrets

LOCAL_SM_DIR

HOME or USERPROFILE

Directory where local SQLite database will be stored

LOCAL_KSM_FALLBACK_SM

FALSE

When TRUE, falls back to real KSM server if local DB fails

KSM_CONFIG

None

Path to KSM configuration file

USE_LOCAL_DAG

FALSE

When TRUE, uses local DAG/discovery database instead of remote

LOCAL_DAG_DIR

HOME or USERPROFILE

Directory for local DAG database storage

LOCAL_DAG_DEBUG

FALSE

Enables debug logging for local DAG

DAG_DEBUG_LEVEL

0

Debug verbosity level (0-5) for discovery DAG

DAG_RENDER

None

When TRUE, renders discovery graph visualizations

DUMP_DISCOVERY_JSON

FALSE

When TRUE, exports discovery results to JSON file

RULE_DEBUG

FALSE

Enables debug logging for rule engine evaluations

GATEWAY_USER

Gateway.GATEWAY_USER constant

User for gateway connections (falls back to USER/USERNAME)

KEEPER_GATEWAY_SAAS_PLUGIN_DIR

provider.saas_plugins_dir

Directory for custom SaaS plugins

KEEPER_GATEWAY_SERVICE_LOG_FINER_LEVEL

0

Increase the amount of debug information shown when mapping users to services. Increasing the number shows more information. Current max is 3.

GS_DEBUG_LEVEL

0

Increase debug level; higher numbers produce more debug output

GS_IS_DEV

False

Development mode flag. When True, shows vertex names when adding edges

GS_CONN_DEBUG

False

Enable GraphSync connection-level debug logging

ROUTER_HOST

Configured hostname from config

Override the FQDN of the krouter

KROUTER_URL

Derived from ROUTER_HOST

Full URL to the krouter; overrides ROUTER_HOST when set

USE_SSL

TRUE

Determine if connection to krouter should use SSL/TLS

LOCAL_DAG_DB_FILE

'local_dag.db'

Database filename for local DAG connections

GS_LOG_TRANS

False

Enable transaction logging for web service calls

GS_LOG_TRANS_DIR

"." (current directory)

Directory path where transaction log files will be created

PROCESS_GS_DEBUG_LEVEL

None

Controls debug logging level for process graph service

USE_KSM

FALSE

When TRUE, uses KSM connection instead of local connection

GRAPH_DIR

HOME, then PROFILENAME, then "."

Directory where graph visualization files are rendered

ProgramData

Used to determine various Windows service paths

SystemRoot

Used for Windows system paths

COMPUTERNAME

Used for Windows hostname

SET_LOCAL_DESCRIPTION

15s

(Deprecated) Use KEEPER_GATEWAY_SET_LOCAL_DESCRIPTION_TIMEOUT

OPEN_CONNECTION_TIMEOUT_SEC

30s

(Deprecated) Use KEEPER_GATEWAY_OPEN_CONNECTION_TIMEOUT

CREATE_ANSWER_TIMEOUT_SEC

30s

(Deprecated) Use KEEPER_GATEWAY_CREATE_ANSWER_TIMEOUT

READ_TIMEOUT_SEC

5s

(Deprecated) Use KEEPER_GATEWAY_READ_TIMEOUT

NON_PARED_READ_TIMEOUT_SEC

5s

(Deprecated) Use KEEPER_GATEWAY_NON_PARED_READ_TIMEOUT

CLOSE_CONNECTION_TIMEOUT_SEC

5s

(Deprecated) Use KEEPER_GATEWAY_CLOSE_CONNECTION_TIMEOUT

TEST_CONNECTION_TIMEOUT_SEC

5s

(Deprecated) Use KEEPER_GATEWAY_TEST_CONNECTION_TIMEOUT

ACCEPT_OFFER_TIMEOUT_SEC

calculated

(Deprecated) Use KEEPER_GATEWAY_ACCEPT_OFFER_TIMEOUT

RECORDINGS_PATH_TIMEOUT_SEC

20s

(Deprecated) Use KEEPER_GATEWAY_RECORDINGS_PATH_TIMEOUT