Skip to main content

NudgeBee Configurations

This document provides a comprehensive reference for the various secrets and environment variables used by the NudgeBee application. These configurations can be set on Helm > nudgebee_secrets section.

Important Security Note: This document outlines the purpose of the secrets and environment variables. It does NOT contain the actual secret values. The values are stored securely using encryption and managed separately.

Table of Contents

License

Configuration related to license. this is required for nudgebee installation on on-prem cluster.

  • NUDGEBEE_LICENSE: NudgeBee license key.

General Configuration

  • BASE_URL: The base URL for the NudgeBee application, default http://localhost:3000
  • JWT_PUBLIC_KEY: Public key for JWT Auth Tokens. This is optional as nudgebee Helm charts include default value
  • JWT_PRIVATE_KEY: Private key for JWT Auth Tokens. This is optional as nudgebee Helm charts include default value
  • NUDGEBEE_ENCRYPTION_KEY: Key to encrypt credentials on DB. This is optional as nudgebee Helm charts include default value
  • NEXTAUTH_SECRET: Encryption key used for encoding cookies. Auto Generated by NudgeBee

Authentication

These secrets and environment variables are used for user authentication and integrating with identity providers. Please refer Authentication Integrations for more details

Google

  • GOOGLE_CLIENT_ID: The Client ID for the Google OAuth application used for authentication.
  • GOOGLE_CLIENT_SECRET: The Client Secret for the Google OAuth application.

Auth0

  • AUTH0_CLIENT_ID: The Client ID for the Auth0 application used for authentication.
  • AUTH0_CLIENT_SECRET: The Client Secret for the Auth0 application.
  • AUTH0_ISSUER: The issuer URL for the Auth0 domain.

Teleport

  • TELEPORT_ENABLED: Set to true to enable this provider.
  • TELEPORT_ATTRIBUTE_USERNAME: Teleport JWT attribute name for username field, defaults to sub
  • TELEPORT_ATTRIBUTE_NAME: Teleport attribute/trait name for displayname field, defaults to sub
  • TELEPORT_ATTRIBUTE_GROUPS: Teleport attribute/trait name for nudgebee-groups field, defaults to empty. Note that these groups needs to be available on nudgebee
  • TELEPORT_SSO_ENABLED: if enabled, nudgebee wont show signin screen, will try to login directly based on teelport headers

Azure AD

  • AZURE_AD_CLIENT_ID: The Client ID for the Azure Active Directory (AD) application.
  • AZURE_AD_CLIENT_SECRET: The Client Secret for the Azure AD application.
  • AZURE_AD_TENANT_ID: The Tenant ID for the Azure AD instance.

Okta

  • OKTA_CLIENT_ID: The Client ID for the Okta application.
  • OKTA_CLIENT_SECRET: The Client Secret for the Okta application.
  • OKTA_ISSUER: The issuer URL for the Okta organization.

Ldap

  • NEXTAUTH_LDAP_URI: ldap URI.
  • NEXTAUTH_LDAP_LOGIN_FILTER: Login filter for ldap.
  • NEXTAUTH_LDAP_SEARCH_FILTER: Search filter for ldap.
  • NEXTAUTH_LDAP_SEARCH_DN: Search DN for ldap.
  • NEXTAUTH_LDAP_BIND_DN: Bind DN for ldap.
  • NEXTAUTH_LDAP_BIND_PASSWORD: Bind password for ldap.
  • NEXTAUTH_LDAP_ATTRIBUTE_EMAIL: Attribute for email.
  • NEXTAUTH_LDAP_ATTRIBUTE_GROUP: Attribute for group.
  • NEXTAUTH_LDAP_ATTRIBUTE_NAME: Attribute for name.
  • NEXTAUTH_LDAP_ATTRIBUTE_FIRSTNAME: Attribute for first name.
  • NEXTAUTH_LDAP_ATTRIBUTE_LASTNAME: Attribute for last name.
  • NEXTAUTH_LDAP_GROUP_MAPPING: Group mapping for ldap.
  • NEXTAUTH_LDAP_SEARCH_USER_PATTERN: Search user pattern.
  • NEXTAUTH_MAGICLINK_CREDS_ENABLED: Enable/Disable magic-links based auth (default true)
  • EMAIL_SERVER_HOST: The hostname of the email server used for sending emails (e.g., for magic links).
  • EMAIL_SERVER_PORT: The port number of the email server.
  • EMAIL_SERVER_USER: The username used to authenticate with the email server.
  • EMAIL_SERVER_PASSWORD: The password used to authenticate with the email server.
  • EMAIL_FROM: Email address which will be used to send email to user.

Dummy Creds

  • NEXTAUTH_DUMMY_CREDS_ENABLED: Enable disable dummy creds which are generated during deployment (default true)

Database

These secrets and environment variables are used for connecting to postgres database.

  • APP_DATABASE_URL: Url for Postgres Database. If not provided then defaults to postgresql://postgres:xxx@postgresql:5432/postgres?sslmode=disable

Messaging Queue

configs to connect with RabbitMQ

  • RABBIT_MQ_HOST: The host of Rabbit MQ.
  • RABBIT_MQ_PORT: The port of Rabbit MQ.
  • RABBIT_MQ_USERNAME: username for rabbit MQ.
  • RABBIT_MQ_PASSWORD: The password of Rabbit MQ.

Large Language Models

These secrets and environment variables are used for configuring and interacting with Large Language Models. Please refer LLM Integrations for more details and configs

  • LLM_PROVIDER: LLM provider for the app (bedrock, sagemaker, huggingface, etc)
  • Provider specific configs can be found on LLM Integrations docs.

Integrations

These secrets and environment variables are used for integrating with third-party services. Please refer Integrations for more details

Slack App

Required for deploying own-app on slack and using that for NudgeBee integration

  • SLACK_CLIENT_SECRET: The Client Secret for the Slack application integration.
  • SLACK_SIGNING_SECRET: The Signing Secret for the Slack application.
  • SLACK_CLIENT_ID: The Client ID for the slack app.

MS Teams App

Required for integrating with MSteams

  • MS_TEAMS_CLIENT_ID: Client ID for Microsoft teams Auth.
  • MS_TEAMS_CLIENT_SECRET: Client secret for Microsoft teams Auth.

GChat App

Required for integrating with Chat

  • GOOGLE_CLIENT_ID: Google clientId
  • **GOOGLE_CLIENT_SECRET: Google Client Secret

Email

Required for sending emails like daily report

  • EMAIL_SERVER_HOST: The hostname of the email server used for sending emails (e.g., for magic links).
  • EMAIL_SERVER_PORT: The port number of the email server.
  • EMAIL_SERVER_USER: The username used to authenticate with the email server.
  • EMAIL_SERVER_PASSWORD: The password used to authenticate with the email server.
  • EMAIL_FROM: Email address which will be used to send email to user.

Cache Configuration

Optional configuration related to cache. Currently only redis/in-memory cache is supported. if value is not provided then system assumes in-memory cache.

  • CACHE_PROVIDER: Cache provider.
  • REDIS_SERVER_HOST: Redis server host.
  • REDIS_SERVER_PORT: Redis server port.
  • REDIS_USER_NAME: Redis user name.
  • REDIS_USER_PASSWORD: Redis user password.

Observability

These are optional configurations for NudgeBee for observability

  • OTEL_EXPORTER: Name of the exporter (none, console, otlp), default is none
  • OTEL_EXPORTER_OTLP_ENDPOINT: Endpoint for OTLP.

ML Configuration

These are optional configurations for nudgebee ML-Server to manage/store models

  • ML_MODEL_STORE_PROVIDER: Provider for model store. Currentlly only s3/file supported. default is file
  • ML_MODEL_STORE_BUCKET: Bucket name where ML model will be stored. if s3 is enabled

Cloud Integration

Optional configuration for connecting AWS cloud accounts and enabling AWS Organization onboarding. For infrastructure setup instructions, see AWS Infrastructure Setup.

AWS Account Integration

  • NUDGEBEE_INSTANCE_ROLE: IAM role ARN in the NudgeBee AWS account. Used to assume cross-account roles in customer accounts. Required for AWS integration.
  • AWS_TEMPLATE_URL: CloudFormation template URL used during single AWS account onboarding. Defaults to Nudgebee-hosted template.

AWS Organization Onboarding

These configs enable automatic registration of AWS Organization member accounts via CloudFormation StackSets and SNS/SQS messaging.

  • AWS_ORG_TEMPLATE_URL: CloudFormation StackSet template URL deployed to organization member accounts.
  • AWS_ORG_SNS_TOPIC_ARN: ARN of the SNS topic that receives CloudFormation Custom Resource callbacks from member accounts.
  • CLOUD_COLLECTOR_ORG_REGISTRATION_SQS: SQS queue URL polled by the cloud-collector service for organization registration events. The SNS topic forwards messages to this queue.

AWS EventBridge Events

  • CLOUD_COLLECTOR_AWS_EVENTBRIDGE_SQS: SQS queue URL for ingesting real-time AWS resource events via EventBridge (e.g., CloudTrail, CloudWatch Alarms).

AWS Auth

If App is deployed Outside EKS and want to access AWS specific services, then add following configs for accessing AWS Services

  • AWS_ACCESS_KEY_ID: Aws access key.
  • AWS_SECRET_ACCESS_KEY: Aws secret access key.
  • AWS_DEFAULT_REGION: Default aws region.