Skip to content

Config TOML reference

The Common Fate CLI uses a local TOML file for configuration. By default, the CLI looks in ~/.cf/config for this file.

This can be overridden by specifying the following environment variables:

Environment variableDefaultDescription
CF_CONFIG_PATH~/.cf/configThe path to look for the TOML config file.
CF_CONFIG_SOURCESenv,fileThe config sources to use in order of precendence. env is environment variables, file is the config file.

Config file format

An example TOML config file is shown below:

current_context = "default"
[context]
[context.default]
api_url = "https://commonfate.example.com"
oidc_issuer = "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_012345abcdef"
oidc_client_id = "3128763128763asvbadkjasd"

A context may contain the following keys specified below. Each configuration value may be overridden by an environment variable. By default, environment variables take precendence over config file values.

KeyEnvironment variableRequiredDescription
api_urlCF_API_URLYesThe API URL to connect to
access_urlCF_ACCESS_URLNoThe Access URL to connect to (serves APIs for requesting and approving access). Defaults to the API URL if not provided and is used for development. In regular deployments this should not be overridden.
authz_urlCF_AUTHZ_URLNoThe Authz URL to connect to (serves APIs for reading resources and authorizing actions). Defaults to the API URL if not provided and is used for development. In regular deployments this should not be overridden.
oidc_issuerCF_OIDC_ISSUERYesThe OIDC issuer for authenticating with Common Fate.
oidc_client_idCF_OIDC_CLIENT_IDYesThe OIDC client ID for authenticating with Common Fate.
oidc_client_secretCF_OIDC_CLIENT_SECRETNoThe OIDC client secret for authenticating with Common Fate. If specified, the CLI will use machine-to-machine authentication to obtain an OIDC access token.

Config file contexts

If you have multiple Common Fate deployments, you can add additional context keys to your config file. The current_context key must point to the current context you wish to use.

current_context = "staging"
[context]
[context.production]
api_url = "https://commonfate.example.com"
oidc_issuer = "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_012345abcdef"
oidc_client_id = "3128763128763asvbadkjasd"
[context.staging]
api_url = "https://staging.commonfate.example.com"
oidc_issuer = "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_23456xyz"
oidc_client_id = "5555666677778888XYZABC"

Using machine-to-machine authentication

It is possible to run the Common Fate CLI in non-interactive environments by specifying the oidc_client_secret configuration variable, or setting the CF_OIDC_CLIENT_SECRET environment variable.

Here is an example:

current_context = "default"
[context]
[context.default]
api_url = "https://commonfate.example.com"
oidc_issuer = "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_012345abcdef"
oidc_client_id = "3128763128763asvbadkjasd"
oidc_client_secret = "XXXXYYYYYYZZZZZZ"