Overview
Anchore uses OAuth2 bearer tokens for all authenticated communication. All Anchore services must be configured with a common secret or public/private keypair for signing and verifying tokens.
Configuration
Set in config.yaml for all components of the deployment:
Option 1: Use a shared secret for signing/verifying tokens
keys:
secret: mysecretvalue
Option 2: Use a public/private key pair, delivered as PEM files on the filesystem of the containers Anchore runs in:
keys:
private_key_path: <path to private key pem file>
public_key_path: <path to public key pem file>
Environment Variables
Using environment variables with the config.yaml bundled into the Anchore provided anchore/enterprise image is also an option. NOTE: These are only valid when using the config.yaml provided in the image due to that file referencing them explicitly as replacement values.
ANCHORE_AUTH_SECRET = the string to use as a secret
ANCHORE_AUTH_PUBKEY = path to public key file
ANCHORE_AUTH_PRIVKEY = path to the private key file
Token Expiration
ANCHORE_OAUTH_TOKEN_EXPIRATION = the number of seconds a token should be valid (default is 3600 seconds)
ANCHORE_OAUTH_REFRESH_TOKEN_EXPIRATION = the number of seconds a refresh token is valid (default is 86400 seconds)