Skip to main content

Environment variables

The broker reads all runtime configuration from environment variables. When deployed via the first-party Terraform module, these are set from the module's input variables; when running the binary directly (for testing), you set them yourself.

VariableRequiredDefaultNotes
AWS_REGIONYesProvided by the Lambda runtime. Required for SDK initialization.
GITHUB_TOKEN_BROKER_REPOSITORY_OWNERYesGitHub owner the minted token is scoped to. Trimmed.
GITHUB_TOKEN_BROKER_REPOSITORY_NAMEYesGitHub repository name the minted token is scoped to. Trimmed.
GITHUB_TOKEN_BROKER_CLIENT_ID_PARAMNo/github-token-broker/app/client-idSSM parameter path for the GitHub App client ID. Must be absolute (start with /).
GITHUB_TOKEN_BROKER_INSTALLATION_ID_PARAMNo/github-token-broker/app/installation-idSSM parameter path for the installation ID. Must be absolute.
GITHUB_TOKEN_BROKER_PRIVATE_KEY_PARAMNo/github-token-broker/app/private-key-pemSSM SecureString parameter path for the private key PEM. Must be absolute.
GITHUB_TOKEN_BROKER_PERMISSIONSNo{"contents":"read"}JSON object of string-to-string permission entries. Must parse to a non-empty object; keys and values must be non-empty.
GITHUB_TOKEN_BROKER_GITHUB_API_BASE_URLNohttps://api.github.comGitHub API base URL. Override for GitHub Enterprise Server.
GITHUB_TOKEN_BROKER_LOG_LEVELNoinfoOne of debug, info, warn, error. Passed to slog.

Notes

  • AWS_REGION is reserved by the Lambda runtime and injected automatically. Do not set it in Terraform; the broker's configuration loader reads it from the process environment like any other variable.
  • SSM parameter paths are validated at startup. A non-absolute path causes the process to exit before taking traffic.
  • The private-key parameter must be SecureString so SSM returns it encrypted and the broker decrypts it in-flight.
  • An empty or missing GITHUB_TOKEN_BROKER_PERMISSIONS falls back to {"contents":"read"}.

See also