Skip to content

Configuration

The Fides application configuration variables are provided in a fides.toml file. Fides will use the first config file it reads from the following locations, in order:

  1. At the path specified using the config file argument passed through the CLI
  2. At the path specified by the FIDES__CONFIG_PATH environment variable
  3. In the current working directory
  4. In the parent working directory
  5. Two directories up from the current working directory
  6. The parent directory followed by /.fides
  7. The user's home (~) directory

Fides can also run exclusively via environment variables. These can be used in tandem with a toml configuration file, with the environment variables overriding the toml configuration values.

Viewing your configuration

You can view the current configuration of your application via either the CLI or API

CLI

To view your application configuration via the CLI, run:

fides view config

The output will look something like this:

fides> fides view config 
Loading config from: .fides/fides.toml
Directory './.fides' already exists.
Configuration file already exists: ./.fides/fides.toml
To learn more about configuring fides, see:
        https://ethyca.github.io/fides/installation/configuration/
----------
test_mode = false
is_test_mode = false
hot_reloading = false
dev_mode = false

[admin_ui]
enabled = true

[cli]
local_mode = false
analytics_id = "internal"
server_protocol = "http"
server_host = "localhost"
...

The output after the initial separator (----------) is valid TOML, and can be copy/pasted for reuse as a functioning config file.

API

To view your application configuration in the API, run:

GET /api/v1/config

Configuration file

After initializing Fides, a default configuration file will be generated and placed within the .fides directory:

[database]
server = "fides-db"
user = "postgres"
password = "fides"
port = "5432"
db = "fides"

[logging]
level = "INFO"

[cli]
server_host = "localhost"
server_port = 8080
analytics_id = ""

[user]
analytics_opt_out = false

[redis]
host = "redis"
password = "testpassword"
port = 6379
charset = "utf8"
default_ttl_seconds = 604800
db_index = 0
enabled = true
ssl = false
ssl_cert_reqs = "required"

[security]
app_encryption_key = ""
cors_origins = [ "http://localhost", "http://localhost:8080", "http://localhost:3000", "http://localhost:3001",]
encoding = "UTF-8"
oauth_root_client_id = "adminid"
oauth_root_client_secret = "adminsecret"
drp_jwt_secret = "secret"
root_username = "root_user"
root_password = "Testpassword1!"

[execution]
masking_strict = true
require_manual_request_approval = false
task_retry_backoff = 1
subject_identity_verification_required = false
task_retry_count = 0
task_retry_delay = 1

[admin_ui]
enabled = true

Configuration variable reference

The fides.toml file should specify the following variables:

Postgres database

NameTypeDefaultDescription
userStringpostgresThe database user with which to login to the application database.
passwordStringfidesThe password with which to login to the application database.
serverStringfides-dbThe hostname of the Postgres database server.
portString5432The port at which the Postgres database will be accessible.
dbStringfidesThe name of the Postgres database.
test_dbString""Used instead of the db config when the FIDES_TEST_MODE environment variable is set to True, to avoid overwriting production data.

Redis cache

NameTypeDefaultDescription
hoststringN/AThe network address for the application Redis cache.
portint6379The port at which the application cache will be accessible.
userstringN/AThe user with which to login to the Redis cache.
passwordstringN/AThe password with which to login to the Redis cache.
db_indexintN/AThe application will use this index in the Redis cache to cache data.
connection_urlstringN/AA full connection URL to the Redis cache. If not specified, this URL is automatically assembled from the host, port, password and db_index specified above.
default_ttl_secondsint604800The number of seconds for which data will live in Redis before automatically expiring.
enabledboolTrueWhether the application's Redis cache should be enabled. Only set to false for certain narrow uses of the application.

Logging

NameTypeDefaultDescription
destinationString""The output location for log files. Accepts any valid file path. If left unset, log entries are printed to stdout and log files are not produced.
levelEnum (String)INFOThe minimum log entry level to produce. Also accepts TRACE, DEBUG, WARNING, ERROR, or CRITICAL (case insensitive).
serializationEnum (String)""The format with which to produce log entries. If left unset, produces log entries formatted using the internal custom formatter. Also accepts "JSON" (case insensitive).
log_piiBooleanFalseIf True, PII values will display unmasked in log output. This variable should always be set to "False" in production systems.

CLI

NameTypeDefaultDescription
local_modeBooleanFalseWhen set to True, forbids the Fides CLI from making calls to the Fides webserver.
server_hostStringlocalhostThe hostname of the Fides webserver.
server_protocolStringhttpThe protocol used by the Fides webserver.
server_portIntegerThe optional port of the Fides webserver.
analytics_idString""A fully anonymized unique identifier that is automatically generated by the application and stored in the toml file.

Security

NameTypeDefaultDescription
app_encryption_keystringN/AThe key used to sign Fides API access tokens.
cors_originsList[AnyHttpUrl]N/AA list of pre-approved addresses of clients allowed to communicate with the Fides application server.
oauth_root_client_idstringN/AThe value used to identify the Fides application root API client.
oauth_root_client_secretstringN/AThe secret value used to authenticate the Fides application root API client.
oauth_access_token_expire_minutesint11520The time for which Fides API tokens will be valid.
root_usernamestringNoneIf set, this can be used in conjunction with root_password to log in without first creating a user in the database.
root_passwordstringNoneIf set, this can be used in conjunction with root_username to log in without first creating a user in the database.
root_user_scopeslist of stringsAll available scopesThe scopes granted to the root user when logging in with root_username and root_password.
subject_request_download_link_ttl_secondsint432000The number of seconds that a pre-signed download URL when using S3 storage will be valid.
request_rate_limitstr100/minuteThe number of requests from a single IP address allowed to hit an endpoint within a rolling 60 second period.
rate_limit_prefixstrfides-The prefix given to keys in the Redis cache used by the rate limiter.
identity_verification_attempt_limitint3The number of identity verification attempts to allow.

Execution

NameTypeDefaultDescription
privacy_request_delay_timeoutint3600The amount of time to wait for actions which delay privacy requests (e.g., pre- and post-processing webhooks).
task_retry_countint0The number of times a failed request will be retried.
task_retry_delayint1The delays between retries in seconds.
task_retry_backoffint1The backoff factor for retries, to space out repeated retries.
subject_identity_verification_requiredboolFalseWhether privacy requests require user identity verification.
require_manual_request_approvalboolFalseWhether privacy requests require explicit approval to execute.
masking_strictboolTrueIf set to True, only use UPDATE requests to mask data. If False, Fides will use any defined DELETE or GDPR DELETE endpoints to remove PII, which may extend beyond the specific data categories that configured in your execution policy.
celery_config_pathstringN/AAn optional override for the Celery configuration file path.

User

NameTypeDefaultDescription
encryption_keyString""An arbitrary string used to encrypt the user data stored in the database. Encryption is implemented using PGP.
analytics_opt_outBoolean""When set to true, prevents sending anonymous analytics data to Ethyca.

Credentials

The credentials section uses custom keys which can be referenced in certain commands.

NameTypeDescription
my_postgres.connection_stringStringSets the connection_string for my_postgres database credentials.
my_aws.aws_access_key_idStringSets the aws_access_key_id for my_aws credentials.
my_aws.aws_secret_access_keyStringSets the aws_secret_access_key for my_aws credentials.
my_aws.region_nameStringSets the region_name for my_aws credentials.
my_okta.orgUrlStringSets the orgUrl for my_okta credentials.
my_okta.tokenStringSets the token for my_okta credentials.

Admin UI

NameTypeDefaultDescription
enabledboolTrueToggle whether the Admin UI is served from /.

Notifications

NameTypeDefaultDescription
send_request_completion_notificationboolFalseWhen set to True, enables subject notifications upon privacy request completion.
send_request_receipt_notificationboolFalseWhen set to True, enables subject notifications upon privacy request receipt.
send_request_review_notificationboolFalseWhen set to True, enables subject notifications upon privacy request review.
notification_service_typeStringN/ASets the notification service type used to send notifications. Accepts mailgun, twilio_sms, or twilio_email.

Set environment variables

To configure environment variables for Fides, the following pattern is used:

FIDES__<SECTION>__<VAR_NAME>

For example, to set the server_url on a Linux machine:

export FIDES__CLI__SERVER_HOST="localhost"
export FIDES__CLI__SERVER_PORT="8080"
export FIDES__CLI__SERVER_PROTOCOL="http"

Additional environment variables

The following environment variables are not included in the default fides.toml configuration, but may be set in your environment:

ENV VariableDefaultDescription
FIDES__LOGGING__LOG_PIIFalseIf True, PII values will display unmasked in log output. This variable should always be set to "False" in production systems.
FIDES__HOT_RELOADFalseIf True, the Fides server will reload code changes without needing to restart the server. This variable should always be set to False in production systems.
FIDES__DEV_MODEFalseIf True, the Fides server will log error tracebacks, and log details of third party requests. This variable should always be set to False in production systems.
FIDES_CONFIG_PATHNoneIf this is set to a path, that path will be used to load .toml files first. Any .toml files on this path will override any installed .toml files.

Celery configuration

Fides uses Celery for asynchronous task management.

The celery.toml file provided contains a brief configuration reference for managing Celery variables. By default, Fides will look for this file in the root directory of your application, but this location can be optionally overridden by specifying an alternate celery_config_path in your fides.toml.

For a full list of possible variable overrides, see the Celery configuration documentation.

default_queue_name = "fides"
broker_url = "redis://:testpassword@redis:6379/1"
result_backend = "redis://:testpassword@redis:6379/1"
Celery VariableExampleDescription
default_queue_namefidesA name to use for your Celery task queue.
broker_urlredis://:testpassword@redis:6379/1The datastore to use as a Celery broker, which maintains an ordered list of asynchronous tasks to execute. If not specified, Fides will default to the connection_url or Redis config values specified in your fides.toml.
result_backendredis://:testpassword@redis:6379/1The backend datastore where Celery will store results from asynchronously processed tasks. If not specified, Fides will default to the connection_url or Redis config values specified in your fides.toml.