Web Variables

CONCOURSE_ADD_LOCAL_USER - List of username:password combinations for all your local users. The password can be bcrypted. Bcrypted password must have a strength of 10 or higher or the user will not be able to login.
Example: {'some-user': '$2a$10$sKZelZprWWcBAWbp28rB1uFef0Ybxsiqh05uo.H8EIm0sWc6IZGJu', 'some-other-user': '$2a$10$.YIYH.5EWQcCvfE49xH/.OhIhGFiNtn.tQq.4pznpcrqZvoLxuKeC', 'some-plaintext-user': 'a-plaintext-password'}

CONCOURSE_API_MAX_CONNS - The maximum number of open connections for the api connection pool.

CONCOURSE_AUTH_DURATION - Length of time for which tokens are valid. Afterwards, users will have to log back in. Use Go duration format (48h = 48 hours).
Default: 24h

CONCOURSE_AWS_SECRETSMANAGER_ACCESS_KEY - AWS Access key ID used as credentials for accessing SecretsManager.

CONCOURSE_AWS_SECRETSMANAGER_PIPELINE_SECRET_TEMPLATE - AWS SecretsManager secret name template used to resolve pipeline specific secrets.
Default: /concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}

CONCOURSE_AWS_SECRETSMANAGER_REGION - AWS region to use for fetching entries from SecretsManager.

CONCOURSE_AWS_SECRETSMANAGER_SECRET_KEY - AWS Secret Access Key used as credentials for accessing SecretsManager.

CONCOURSE_AWS_SECRETSMANAGER_SESSION_TOKEN - AWS Session Token used as credentials for accessing SecretsManager.

CONCOURSE_AWS_SECRETSMANAGER_SHARED_SECRET_TEMPLATE - AWS SecretsManager secret name template used to resolve shared secrets.
Default: /concourse/{{.Secret}}

CONCOURSE_AWS_SECRETSMANAGER_TEAM_SECRET_TEMPLATE - AWS SecretsManager secret name template used to resolve team specific secrets.
Default: /concourse/{{.Team}}/{{.Secret}}

CONCOURSE_AWS_SSM_ACCESS_KEY - AWS Access key ID used as credentials for accessing SSM parameters.

CONCOURSE_AWS_SSM_PIPELINE_SECRET_TEMPLATE - AWS SSM parameter name template used to resolve pipeline specific secrets. If this flag contains slashes, be sure to start it with a /. Maximum 5 slashes are permitted by AWS in parameter names.
Default: /concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}

CONCOURSE_AWS_SSM_REGION - AWS region to use for fetching SSM parameters.

CONCOURSE_AWS_SSM_SECRET_KEY - AWS Secret Access Key used as credentials for accessing SSM parameters.

CONCOURSE_AWS_SSM_SESSION_TOKEN - AWS Session Token used as credentials for accessing SSM parameters.

CONCOURSE_AWS_SSM_TEAM_SECRET_TEMPLATE - AWS SSM parameter name template used to resolve team specific secrets. If this flag contains slashes, be sure to start it with a /. Maximum 5 slashes are permitted by AWS in parameter names. names.
Default: /concourse/{{.Team}}/{{.Secret}}

CONCOURSE_BACKEND_MAX_CONNS - The maximum number of open connections for the backend connection pool.

CONCOURSE_BAGGAGECLAIM_RESPONSE_HEADER_TIMEOUT - How long to wait for Baggageclaim to send the response header. Use Go duration format (1m = 1 minute).
Default: 1m

CONCOURSE_BIND_IP - IP address on which the ATC should listen for HTTP traffic.
Default: 0.0.0.0

CONCOURSE_BIND_PORT - Port on which the ATC should listen for HTTP traffic.
Default: 8080

CONCOURSE_BITBUCKET_CLOUD_CLIENT_ID - BitBucket Cloud client ID.

CONCOURSE_BITBUCKET_CLOUD_CLIENT_SECRET - BitBucket Cloud client secret.

CONCOURSE_BUILD_TRACKER_INTERVAL - The interval, in Go duration format (1m = 1 minute), on which to run build tracking to keep track of build status.
Default: 10s

CONCOURSE_CAPTURE_ERROR_METRICS - Enable capturing of error log metrics.

CONCOURSE_CF_API_URL - Cloud Foundry api endpoint url.

CONCOURSE_CF_CLIENT_ID - UAA client ID to use for OAuth.

CONCOURSE_CF_CLIENT_SECRET - UAA client secret to use for OAuth.

CONCOURSE_CF_SKIP_SSL_VALIDATION - Skip SSL validation.

CONCOURSE_CLIENT_ID - The concourse client_id to use when logging into the web interface

CONCOURSE_CLIENT_SECRET - The concourse client_secret to use when logging into the web interface

CONCOURSE_CLUSTER_NAME - A name for this Concourse cluster, to be displayed on the dashboard page.

CONCOURSE_COMPONENT_RUNNER_INTERVAL - Interval on which runners are kicked off for builds, locks, scans, and checks

CONCOURSE_CONCURRENT_REQUEST_LIMIT - Limit the number of concurrent requests to an API endpoint.
Example: {'ListAllJobs': 5}

CONCOURSE_CONJUR_ACCOUNT - Conjur account name.

CONCOURSE_CONJUR_APPLIANCE_URL - URL of the Conjur instance.

CONCOURSE_CONJUR_AUTHN_API_KEY - API key related to the host.

CONCOURSE_CONJUR_AUTHN_LOGIN - Host username. Example: host/concourse

CONCOURSE_CONJUR_AUTHN_TOKEN_FILE - Path to token file used if Conjur instance is running in Kubernetes or IAM.

CONCOURSE_CONJUR_PIPELINE_SECRET_TEMPLATE - Conjur secret identifier template used for pipeline specific parameter.

CONCOURSE_CONJUR_SECRET_TEMPLATE - Conjur secret identifier template used for full path conjur secrets

CONCOURSE_CONJUR_TEAM_SECRET_TEMPLATE - Conjur secret identifier template used for team specific parameter.

CONCOURSE_CONTAINER_PLACEMENT_STRATEGY - Chained strategies by which a worker is selected during container placement. Supported options are "volume-locality", "fewest-build-containers", "limit-active-tasks", "limit-active-containers", and "limit-active-volumes".
Example: ['limit-active-tasks', 'volume-locality']

CONCOURSE_CONTAINER_PLACEMENT_STRATEGY - Chained strategies by which a worker is selected during container placement. Supported options are "volume-locality", "fewest-build-containers", "limit-active-tasks", "limit-active-containers", and "limit-active-volumes".
Example: ['limit-active-tasks', 'volume-locality']

CONCOURSE_CONTENT_SECURITY_POLICY - The value to set for Content-Security-Policy header.
Example: no-store, private

CONCOURSE_COOKIE_SECURE - Set secure flag on auth cookies.

CONCOURSE_CREDHUB_CLIENT_ID - Client ID for CredHub authorization.

CONCOURSE_CREDHUB_CLIENT_SECRET - Client secret for CredHub authorization.

CONCOURSE_CREDHUB_INSECURE_SKIP_VERIFY - Enable insecure SSL verification.

CONCOURSE_CREDHUB_PATH_PREFIX - Path under which to namespace team/pipeline credentials.
Default: /concourse

CONCOURSE_CREDHUB_URL - CredHub server address used to access secrets.
Example: https://credhub-server:9000

CONCOURSE_DATADOG_AGENT_HOST - If configured, detailed metrics will be emitted to the specified Datadog Agent's dogstatsd server.

CONCOURSE_DATADOG_AGENT_PORT - Port of the Datadog Agent's dogstatsd server to emit events to.
Default: 8125

CONCOURSE_DATADOG_AGENT_UDS_FILEPATH - Datadog agent unix domain socket (uds) filepath to expose dogstatsd metrics
Example: /tmp/datadog.socket

CONCOURSE_DATADOG_PREFIX - An optional prefix for emitted Datadog events.

CONCOURSE_DEBUG_BIND_IP - IP address on which to listen for the pprof debugger endpoints.
Default: 127.0.0.1

CONCOURSE_DEBUG_BIND_PORT - Port on which to listen for the pprof debugger endpoints.
Default: 8079

CONCOURSE_DEFAULT_BUILD_LOGS_TO_RETAIN - Default build logs to retain. 0 means unlimited.
Example: 100

CONCOURSE_DEFAULT_BUILD_LOGS_TO_RETAIN - Default build logs to retain. 0 means unlimited.
Example: 100

CONCOURSE_DEFAULT_DAYS_TO_RETAIN_BUILD_LOGS - Default days to retain build logs. 0 means unlimited.
Example: 100

CONCOURSE_DEFAULT_GET_TIMEOUT - Default timeout of get steps

CONCOURSE_DEFAULT_PUT_TIMEOUT - Default timeout of put steps

CONCOURSE_DEFAULT_TASK_CPU_LIMIT - Default limit for cpu shares used per task. This can be overridden by specifying a different limit in the task yaml.
Example: 256

CONCOURSE_DEFAULT_TASK_MEMORY_LIMIT - Default limit for memory used per task. This can be overridden by specifying a different limit in the task yaml.
Example: 200mb

CONCOURSE_DEFAULT_TASK_TIMEOUT - Default timeout of task steps

CONCOURSE_DISPLAY_USER_ID_PER_CONNECTOR - Define how to display user ID for each authentication connector. Format is <connector>:<fieldname>. Valid field names are user_id, name, username and email, where name maps to claims field username, and username maps to claims field preferred username

CONCOURSE_EMIT_TO_LOGS - Emit metrics to logs.

CONCOURSE_ENABLE_ACROSS_STEP - Enable the experimental across step to be used in jobs. The API is subject to change.

CONCOURSE_ENABLE_BUILD_AUDITING - Enable auditing of build API requests.

CONCOURSE_ENABLE_CACHE_STREAMED_VOLUMES - Enable caching of streamed resource volumes on the destination worker.

CONCOURSE_ENABLE_CONTAINER_AUDITING - Enable auditing of container API requests.

CONCOURSE_ENABLE_GLOBAL_RESOURCES - Enable equivalent resources across pipelines and teams to share a single version history.

CONCOURSE_ENABLE_JOB_AUDITING - Enable auditing of job API requests.

CONCOURSE_ENABLE_LETS_ENCRYPT - Automatically configure TLS certificates via Let's Encrypt/ACME.

CONCOURSE_ENABLE_P2P_VOLUME_STREAMING - Enable peer-to-peer volume streaming between workers.

CONCOURSE_ENABLE_PIPELINE_AUDITING - Enable auditing of pipeline API requests.

CONCOURSE_ENABLE_PIPELINE_INSTANCES - Enable the creation of instanced pipelines.

CONCOURSE_ENABLE_REDACT_SECRETS - Enable redacting secrets in build logs.

CONCOURSE_ENABLE_RERUN_WHEN_WORKER_DISAPPEARS - Enable rerunning of builds when worker disappears.

CONCOURSE_ENABLE_RESOURCE_AUDITING - Enable auditing of resource API requests.

CONCOURSE_ENABLE_RESOURCE_CAUSALITY - Enable web UI and API endpoint for resource causality

CONCOURSE_ENABLE_SYSTEM_AUDITING - Enable auditing of system API requests.

CONCOURSE_ENABLE_TEAM_AUDITING - Enable auditing of team API requests.

CONCOURSE_ENABLE_VOLUME_AUDITING - Enable auditing of volume API requests.

CONCOURSE_ENABLE_WORKER_AUDITING - Enable auditing of worker API requests.

CONCOURSE_ENCRYPTION_KEY - A 16 or 32 byte passphrase. This is used to generate an AES key to encrypt sensitive iinformation in the database. If specified, all existing data will be encrypted on start and any new data will be encrypted.

CONCOURSE_EXTERNAL_URL - Externally reachable URL of the ATCs. Required for OAuth. This will be auto-generated using the IP of each ATC VM if not specified, however this is only a reasonable default if you have a single instance. Typically this is the URL that you as a user would use to reach your CI. For multiple ATCs it would go to some sort of load balancer.
Example: https://ci.concourse-ci.org

CONCOURSE_GARDEN_REQUEST_TIMEOUT - How long to wait for requests to Garden to complete, in Go duration format (48h = 48 hours). 0 means no timeout.
Example: 5m

CONCOURSE_GC_CHECK_RECYCLE_PERIOD - Period after which finished checks will get garbage-collected.
Default: 6h

CONCOURSE_GC_FAILED_GRACE_PERIOD - Period after which failed builds will get garbage-collected.

CONCOURSE_GC_HIJACK_GRACE_PERIOD - Period after which hijacked containers will be garbage-collected.

CONCOURSE_GC_INTERVAL - The interval, in Go duration format (1m = 1 minute), on which to garbage collect containers, volumes, and other internal data.
Default: 30s

CONCOURSE_GC_INTERVAL - The interval, in Go duration format (1m = 1 minute), on which to garbage collect containers, volumes, and other internal data.
Default: 30s

CONCOURSE_GC_MISSING_GRACE_PERIOD - Period after which to reap containers and volumes that were created but went missing from the worker.

CONCOURSE_GC_ONE_OFF_GRACE_PERIOD - Period after which one-off build containers will be garbage-collected.

CONCOURSE_GC_VAR_SOURCE_RECYCLE_PERIOD - Period after which unused var_sources will get garbage-collected.
Example: 5m

CONCOURSE_GITHUB_CLIENT_ID - GitHub client ID to use for OAuth. The application must be configured with its callback URL as {external_url}/sky/issuer/callback (replacing {external_url} with the actual value).

CONCOURSE_GITHUB_CLIENT_SECRET - GitHub client secret to use for OAuth. The application must be configured with its callback URL as {external_url}/sky/issuer/callback (replacing {external_url} with the actual value).

CONCOURSE_GITHUB_HOST - Override default hostname for Github Enterprise. (No scheme, No trailing slash)
Example: github.example.com

CONCOURSE_GITLAB_CLIENT_ID - GitLab client ID to use for OAuth.

CONCOURSE_GITLAB_CLIENT_SECRET - GitLab client secret to use for OAuth.

CONCOURSE_GITLAB_HOST - Hostname of Gitlab Enterprise deployment (Include scheme, No trailing slash)

CONCOURSE_GLOBAL_RESOURCE_CHECK_TIMEOUT - Time limit on checking for new versions of resources.
Default: 1h

CONCOURSE_INFLUXDB_BATCH_DURATION - The duration to wait before emitting a batch of points to InfluxDB, disregarding influxdb.batch_size.
Default: 300s

CONCOURSE_INFLUXDB_BATCH_SIZE - Number of points to batch together when emitting to InfluxDB.
Default: 5000

CONCOURSE_INFLUXDB_DATABASE - InfluxDB database to which metrics will be emitted.

CONCOURSE_INFLUXDB_INSECURE_SKIP_VERIFY - Skip SSL verification when emitting to InfluxDB.

CONCOURSE_INFLUXDB_PASSWORD - InfluxDB password for authorizing access.

CONCOURSE_INFLUXDB_URL - If configured, detailed metrics will be emitted to the specified InfluxDB server.

CONCOURSE_INFLUXDB_USERNAME - InfluxDB username for authorizing access.

CONCOURSE_INTERCEPT_IDLE_TIMEOUT - Length of time for a intercepted session to be idle before terminating, in Go duration format.
Example: 5m

CONCOURSE_JOB_SCHEDULING_MAX_IN_FLIGHT - Maximum number of jobs to be scheduling at the same time.
Default: 32

CONCOURSE_LDAP_BIND_DN - Bind DN for searching LDAP users and groups. Typically this is a read-only user.

CONCOURSE_LDAP_BIND_PW - Bind Password for the user specified by 'bind-dn'.

CONCOURSE_LDAP_DISPLAY_NAME - The auth provider name displayed to users on the login page.

CONCOURSE_LDAP_GROUP_SEARCH_BASE_DN - BaseDN to start the search from.
Example: cn=groups,dc=example,dc=com

CONCOURSE_LDAP_GROUP_SEARCH_FILTER - Optional filter to apply when searching the directory.
Example: (objectClass=posixGroup)

CONCOURSE_LDAP_GROUP_SEARCH_GROUP_ATTR - Adds an additional requirement to the filter that an attribute in the group match the user's attribute value. The exact filter being added is (<groupAttr>=<userAttrvalue>)

CONCOURSE_LDAP_GROUP_SEARCH_NAME_ATTR - The attribute of the group that represents its name.

CONCOURSE_LDAP_GROUP_SEARCH_SCOPE - Can either be 'sub' - search the whole sub tree or 'one' - only search one level. Defaults to 'sub' if empty.

CONCOURSE_LDAP_GROUP_SEARCH_USER_ATTR - Adds an additional requirement to the filter that an attribute in the group match the user's attribute value. The exact filter being added is (<groupAttr>=<userAttrvalue>).

CONCOURSE_LDAP_HOST - The host and optional port of the LDAP server. If port isn't supplied, it will be guessed based on the TLS configuration. 389 or 636.

CONCOURSE_LDAP_INSECURE_NO_SSL - Required if LDAP host does not use TLS.

CONCOURSE_LDAP_INSECURE_SKIP_VERIFY - Skip certificate verification.

CONCOURSE_LDAP_START_TLS - Start on insecure port, then negotiate TLS.

CONCOURSE_LDAP_USERNAME_PROMPT - The prompt that's displayed when logging in through the UI when password_connector is set to "ldap".
Example: Username

CONCOURSE_LDAP_USER_SEARCH_BASE_DN - BaseDN to start the search from.
Example: cn=users,dc=example,dc=com

CONCOURSE_LDAP_USER_SEARCH_EMAIL_ATTR - A mapping of attributes on the user entry to claims. Defaults to 'mail' if empty.

CONCOURSE_LDAP_USER_SEARCH_FILTER - Optional filter to apply when searching the directory.
Example: (objectClass=person)

CONCOURSE_LDAP_USER_SEARCH_ID_ATTR - A mapping of attributes on the user entry to claims. Defaults to 'uid' if empty.

CONCOURSE_LDAP_USER_SEARCH_NAME_ATTR - A mapping of attributes on the user entry to claims.

CONCOURSE_LDAP_USER_SEARCH_SCOPE - Can either be 'sub' - search the whole sub tree or 'one' - only search one level. Defaults to 'sub' if empty.

CONCOURSE_LDAP_USER_SEARCH_USERNAME - Attribute to match against the inputted username. This will be translated and combined with the other filter as '(<attr>=<username>)'.

CONCOURSE_LETS_ENCRYPT_ACME_URL - URL of the ACME CA directory endpoint.
Default: https://acme-v02.api.letsencrypt.org/directory

CONCOURSE_LIDAR_SCANNER_INTERVAL - Interval on which the resource scanner will run to see if new checks need to be scheduled
Default: 1m

CONCOURSE_LOG_CLUSTER_NAME - Add cluster name (CONCOURSE_CLUSTER_NAME) to logs.

CONCOURSE_LOG_DB_QUERIES - Log database queries. Log level is debug, so you'll need to set the log_level property as well. This is mainly useful for Concourse developers to analyze query counts.

CONCOURSE_LOG_LEVEL - The log level for the ATC. When set to debug, you'll see a lot more information about scheduling, resource scanning, etc., but it'll be quite chatty.
Default: info

CONCOURSE_MAIN_TEAM_BITBUCKET_CLOUD_TEAM - List of whitelisted Bitbucket Cloud teams.
Example: ['my-bitbucket-cloud-team']

CONCOURSE_MAIN_TEAM_BITBUCKET_CLOUD_USER - List of whitelisted Bitbucket Cloud users.
Example: ['my-bitbucket-cloud-login']

CONCOURSE_MAIN_TEAM_CF_ORG - List of CloudFoundry Orgs that are authorized for the main team
Example: ['myorg']

CONCOURSE_MAIN_TEAM_CF_SPACE - (Deprecated) List of CloudFoundry Spaces whose 'developer' users are authorized for the main team
Example: ['myorg:myspace']

CONCOURSE_MAIN_TEAM_CF_SPACE_GUID - List of CloudFoundry Space GUIDs that are authorized for the main team

CONCOURSE_MAIN_TEAM_CF_SPACE_WITH_ANY_ROLE - List of CloudFoundry Spaces whose users with any role are authorized for the main team
Example: ['myorg:myspace']

CONCOURSE_MAIN_TEAM_CF_SPACE_WITH_AUDITOR_ROLE - List of CloudFoundry Spaces whose 'auditor' users are authorized for the main team
Example: ['myorg:myspace']

CONCOURSE_MAIN_TEAM_CF_SPACE_WITH_DEVELOPER_ROLE - List of CloudFoundry Spaces whose 'developer' users are authorized for the main team
Example: ['myorg:myspace']

CONCOURSE_MAIN_TEAM_CF_SPACE_WITH_MANAGER_ROLE - List of CloudFoundry Spaces whose 'manager' users are authorized for the main team
Example: ['myorg:myspace']

CONCOURSE_MAIN_TEAM_CF_USER - List of CloudFoundry userids/usernames that are authorized for the main team
Example: ['my-username']

CONCOURSE_MAIN_TEAM_GITHUB_ORG - An array of GitHub orgs that are authorized for the main team
Example: ['my-github-org']

CONCOURSE_MAIN_TEAM_GITHUB_TEAM - An array of GitHub teams that are authorized for the main team
Example: ['my-github-org:my-github-team']

CONCOURSE_MAIN_TEAM_GITHUB_USER - An array of GitHub userids/logins that are authorized for the main team
Example: ['my-github-login']

CONCOURSE_MAIN_TEAM_GITLAB_GROUP - An array of GitLab groups that are authorized for the main team
Example: ['my-gitlab-group']

CONCOURSE_MAIN_TEAM_GITLAB_USER - An array of GitLab users that are authorized for the main team
Example: ['my-gitlab-login']

CONCOURSE_MAIN_TEAM_LDAP_GROUP - List of LDAP groups that are authorized for the main team
Example: ['my-group']

CONCOURSE_MAIN_TEAM_LDAP_USER - List of LDAP users that are authorized for the main team
Example: ['my-username']

CONCOURSE_MAIN_TEAM_LOCAL_USER - An array of local users that are authorized for the main team.

CONCOURSE_MAIN_TEAM_MICROSOFT_GROUP - List of whitelisted Microsoft groups for the main team.
Example: ['my-group']

CONCOURSE_MAIN_TEAM_MICROSOFT_USER - List of whitelisted Microsoft users for the main team.
Example: ['my-username']

CONCOURSE_MAIN_TEAM_OAUTH_GROUP - List of Generic OAuth groups that are authorized for the main team
Example: ['my-group']

CONCOURSE_MAIN_TEAM_OAUTH_USER - List of Generic OAuth users that are authorized for the main team
Example: ['my-username']

CONCOURSE_MAIN_TEAM_OIDC_GROUP - List of Generic OIDC groups that are authorized for the main team
Example: ['my-group']

CONCOURSE_MAIN_TEAM_OIDC_USER - List of Generic OIDC users that are authorized for the main team
Example: ['my-username']

CONCOURSE_MAIN_TEAM_SAML_GROUP - List of SAML groups that are authorized for the main team
Example: ['my-group']

CONCOURSE_MAIN_TEAM_SAML_USER - List of SAML users that are authorized for the main team
Example: ['my-username']

CONCOURSE_MAX_ACTIVE_CONTAINERS_PER_WORKER - Maximum allowed number of active containers per worker. Has effect only when used with "limit-active-containers" placement strategy. 0 means no limit.

CONCOURSE_MAX_ACTIVE_TASKS_PER_WORKER - Maximum allowed number of active build tasks per worker. Has effect only when used with "limit-active-tasks" placement strategy. 0 means no limit.

CONCOURSE_MAX_ACTIVE_VOLUMES_PER_WORKER - Maximum allowed number of active volumes per worker. Has effect only when used with "limit-active-volumes" placement strategy. 0 means no limit.

CONCOURSE_MAX_BUILD_LOGS_TO_RETAIN - Maximum build logs to retain. Will override values configured in jobs.
Example: 1000

CONCOURSE_MAX_BUILD_LOGS_TO_RETAIN - Maximum build logs to retain. Will override values configured in jobs.
Example: 1000

CONCOURSE_MAX_CHECKS_PER_SECOND - Maximum number of checks that can be started per second. If not specified, this will be calculated as (# of resources)/(resource checking interval). -1 value will remove this maximum limit of checks per second.
Example: 100

CONCOURSE_MAX_DAYS_TO_RETAIN_BUILD_LOGS - Maximum days to retain build logs. Will override values configured in jobs.
Example: 1000

CONCOURSE_METRICS_BUFFER_SIZE - The size of the buffer used in emitting event metrics.
Default: 1000

CONCOURSE_MICROSOFT_CLIENT_ID - Microsoft client ID to use for OAuth.

CONCOURSE_MICROSOFT_CLIENT_SECRET - Microsoft client secret to use for OAuth.

CONCOURSE_MICROSOFT_GROUPS - Allowed Active Directory groups to use for Microsoft OAuth.

CONCOURSE_MICROSOFT_ONLY_SECURITY_GROUPS - Only fetch security groups for Microsoft OAuth.

CONCOURSE_MICROSOFT_TENANT - Microsoft tenant limitation to use for OAuth (common, consumers, organizations, tenant name or tenant uuid).

CONCOURSE_NEWRELIC_ACCOUNT_ID - New Relic Account ID.

CONCOURSE_NEWRELIC_API_KEY - New Relic Insights API Key.

CONCOURSE_NEWRELIC_BATCH_DISABLE_COMPRESSION - Disables compression of the batch before sending it.

CONCOURSE_NEWRELIC_BATCH_DURATION - Length of time to wait between emitting until all currently batched events are emitted.
Example: 60s

CONCOURSE_NEWRELIC_BATCH_SIZE - Number of events to batch together before emitting.
Example: 2000

CONCOURSE_NEWRELIC_INSIGHTS_API_URL - New Relic Insights Base Url
Example: https://insights-collector.newrelic.com

CONCOURSE_NEWRELIC_SERVICE_PREFIX - An optional prefix for emitted New Relic events.

CONCOURSE_OAUTH_AUTH_URL - Generic OAuth provider authorization endpoint url.

CONCOURSE_OAUTH_CLIENT_ID - Application client ID for enabling generic OAuth.

CONCOURSE_OAUTH_CLIENT_SECRET - Application client secret for enabling generic OAuth.

CONCOURSE_OAUTH_DISPLAY_NAME - Name of the authentication method to be displayed on the Web UI

CONCOURSE_OAUTH_GROUPS_KEY - Groups claim key used to map groups from the OAuth userinfo/token

CONCOURSE_OAUTH_SCOPE - OAuth scopes to request during authorization.

CONCOURSE_OAUTH_SKIP_SSL_VALIDATION - Skip SSL validation.

CONCOURSE_OAUTH_TOKEN_URL - Generic OAuth provider token endpoint URL.

CONCOURSE_OAUTH_USERINFO_URL - Generic OAuth provider user info endpoint URL.

CONCOURSE_OAUTH_USER_ID_KEY - User ID claim key used to map groups from the OAuth userinfo/token

CONCOURSE_OAUTH_USER_NAME_KEY - User name claim key used to map groups from the OAuth userinfo/token

CONCOURSE_OIDC_CLIENT_ID - Application client ID for enabling generic OIDC.

CONCOURSE_OIDC_CLIENT_SECRET - Application client secret for enabling generic OIDC.

CONCOURSE_OIDC_DISABLE_GROUPS - Disable groups claim fetching.

CONCOURSE_OIDC_DISPLAY_NAME - Name of the authentication method to be displayed on the Web UI

CONCOURSE_OIDC_GROUPS_KEY - Groups claim key used to map groups from the OIDC userinfo/token

CONCOURSE_OIDC_HOSTED_DOMAINS - List of whitelisted domains when using Google, only users from a listed domain will be allowed to log in

CONCOURSE_OIDC_ISSUER - Generic OIDC provider issuer url.

CONCOURSE_OIDC_SCOPE - OIDC scopes to request during authorization.

CONCOURSE_OIDC_SKIP_EMAIL_VERIFIED_VALIDATION - Ignore the email_verified claim from the upstream provider, treating all users as if email_verified were true.

CONCOURSE_OIDC_SKIP_SSL_VALIDATION - Skip SSL validation.

CONCOURSE_OIDC_USER_NAME_KEY - User name claim key used to map groups from the OIDC userinfo/token

CONCOURSE_OLD_ENCRYPTION_KEY - The key used previously to encrypt sensitive information in the database. To rotate your encryption key, set both old_encryption_key and encryption_key. This will result in the ATC re-encrypting all data on start. To disable encryption, specify old_encryption_key and do not set encryption_key. This will result in the ATC decrypting all data on start, restoring it to plaintext.

CONCOURSE_OPA_RESULT_ALLOWED_KEY - Name of key in the Open Policy Agent result to check if the action is allowed.

CONCOURSE_OPA_RESULT_MESSAGES_KEY - Name of key in the Open Policy Agent result to extract the messages from.

CONCOURSE_OPA_RESULT_SHOULD_BLOCK_KEY - Name of key in the Open Policy Agent result to check if it should hard block and fail, or soft block and emit warning on failure.

CONCOURSE_OPA_TIMEOUT - Open Policy Agent API request timeout.

CONCOURSE_OPA_URL - Open Policy Agent policy check endpoint.
Example: http://opa.example.com:8181/v1/data/concourse/allow

CONCOURSE_P2P_VOLUME_STREAMING_TIMEOUT - Timeout for peer-to-peer volume streaming. Use Go duration format (15m = 15 minutes).
Example: 15m

CONCOURSE_PASSWORD_CONNECTOR - The connector to use for password authentication for fly login -u ... -p .... Either "local" or "ldap".
Example: local

CONCOURSE_PAUSE_PIPELINES_AFTER - The number of days after which a pipeline will be automatically paused if none of its jobs have run in less than the given number of days. A value of zero disables this component.
Example: 90

CONCOURSE_POLICY_CHECK_FILTER_ACTION - Array of ATC API actions to filter through policy checking.
Example: ['SaveConfig', 'UseImage']

CONCOURSE_POLICY_CHECK_FILTER_ACTION_SKIP - Array of ATC API actions to skip policy checking.
Example: ['PausePipeline', 'UnpausePipeline']

CONCOURSE_POLICY_CHECK_FILTER_HTTP_METHOD - Array of HTTP methods to filter through policy checking.
Example: ['PUT', 'POST']

CONCOURSE_POSTGRES_CONNECT_TIMEOUT - Dialing timeout, in Go duration format (1m = 1 minute). 0 means wait indefinitely.
Default: 5m

CONCOURSE_POSTGRES_DATABASE - Name of the database to use.

CONCOURSE_POSTGRES_HOST - IP address or DNS name of a PostgreSQL server to connect to. If not specified, one will be autodiscovered via BOSH links.

CONCOURSE_POSTGRES_PASSWORD - Password to use when connecting.

CONCOURSE_POSTGRES_PORT - Port on which to connect to the server specified by postgresql.host. If postgresql.host is not specified, this will be autodiscovered via BOSH links, along with the host.
Default: 5432

CONCOURSE_POSTGRES_SOCKET - Path to a UNIX domain socket to connect to.

CONCOURSE_POSTGRES_SSLMODE - Whether or not to use SSL. Defaults to verify-ca when postgresql.address or postgresql.host is provided. Otherwise, defaults to disable.

CONCOURSE_POSTGRES_USER - Name of role to connect with.

CONCOURSE_PROMETHEUS_BIND_IP - If configured, expose Prometheus metrics at specified address

CONCOURSE_PROMETHEUS_BIND_PORT - If configured, expose Prometheus metrics at specified port

CONCOURSE_RESOURCE_CHECKING_INTERVAL - The interval, in Go duration format (1m = 1 minute), on which to check for new versions of resources. This can also be specified on a per-resource basis by specifying check_every on the resource config.
Default: 1m

CONCOURSE_RESOURCE_WITH_WEBHOOK_CHECKING_INTERVAL - The interval, in Go duration format (1m = 1 minute), on which to check for new versions of resources which have a webhook token configured.
Example: 1m

CONCOURSE_SAML_DISPLAY_NAME - The auth provider name displayed to users on the login page.

CONCOURSE_SAML_EMAIL_ATTR - Name of the email attribute in the returned assertions to map to ID token claims.
Example: email

CONCOURSE_SAML_ENTITY_ISSUER - Manually specify Concourse's Issuer value. When provided Concourse will include this as the Issuer value during AuthnRequest. If not provided, will default to the redirect URI when evaluating AudienceRestriction elements in the response.

CONCOURSE_SAML_GROUPS_ATTR - Name of the groups attribute in the returned assertions to map to ID token claims.
Example: groups

CONCOURSE_SAML_GROUPS_DELIM - Delimiter for splitting groups returned as a single string. By default, multiple groups are assumed to be represented as multiple attributes with the same name. If "groups_delim" is provided groups are assumed to be represented as a single attribute and the delimiter is used to split the attribute's value into multiple groups.

CONCOURSE_SAML_NAME_ID_POLICY_FORMAT - Requested format of the NameID. The NameID value is is mapped to the user ID of the user. This can be an abbreviated form of the full URI with just the last component. For example, if this value is set to "emailAddress" the format will resolve to: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress If no value is specified, this value defaults to: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
Example: persistent

CONCOURSE_SAML_SKIP_SSL_VALIDATION - Skip signature verification.

CONCOURSE_SAML_SSO_ISSUER - Issuer value expected in the SAML response.

CONCOURSE_SAML_SSO_URL - SSO URL used for POST value.

CONCOURSE_SAML_USERNAME_ATTR - Name of the username attribute in the returned assertions to map to ID token claims.
Example: name

CONCOURSE_SECRET_CACHE_DURATION - Maximum duration for which to keep cached credentials.
Default: 1m

CONCOURSE_SECRET_CACHE_DURATION_NOTFOUND - If the cache is enabled, secret not found responses will be cached for this duration.
Default: 10s

CONCOURSE_SECRET_CACHE_ENABLED - Enable in-memory caching of secrets fetched from the credential manager.

CONCOURSE_SECRET_CACHE_PURGE_INTERVAL - Interval on which to purge expired cached credentials.
Default: 10m

CONCOURSE_SECRET_RETRY_ATTEMPTS - The number of attempts secret will be retried to be fetched, in case a retryable error happens.

CONCOURSE_SECRET_RETRY_INTERVAL - The interval between secret retry retrieval attempts.

CONCOURSE_STREAMING_ARTIFACTS_COMPRESSION - Compression to use when streaming artifacts (values: zstd, gzip)

CONCOURSE_SYSLOG_ADDRESS - Remote syslog server address with port.
Example: 0.0.0.0:514

CONCOURSE_SYSLOG_DRAIN_INTERVAL - Interval over which checking is done for new build logs to send to syslog server (duration measurement units are s/m/h)
Example: 30s
Default: 30s

CONCOURSE_SYSLOG_HOSTNAME - Client hostname with which the build logs will be sent to the syslog server.
Example: atc-syslog-drainer
Default: atc-syslog-drainer

CONCOURSE_SYSLOG_TRANSPORT - Transport protocol for syslog messages (Currently supporting tcp, udp & tls).
Example: tcp

CONCOURSE_TLS_BIND_PORT - Deprecated in favor of tls.bind_port.

CONCOURSE_TLS_BIND_PORT - Deprecated in favor of tls.bind_port.

CONCOURSE_TRACING_ATTRIBUTE - Attributes to attach to traces as metadata.
Example: {'environment': 'ci'}

CONCOURSE_TRACING_HONEYCOMB_API_KEY - Honeycomb.io API Key.

CONCOURSE_TRACING_HONEYCOMB_DATASET - Name of dataset.
Example: web

CONCOURSE_TRACING_JAEGER_ENDPOINT - jaeger HTTP-based Thrift collector.
Example: http://jaeger:14268/api/traces

CONCOURSE_TRACING_JAEGER_SERVICE - Name of the service being traced.
Example: web

CONCOURSE_TRACING_JAEGER_TAGS - Tags to include in components.
Example: foo:bar,caz:zaz

CONCOURSE_TRACING_OTLP_ADDRESS - OTLP address to send traces to.
Example: otel-collector:55860

CONCOURSE_TRACING_OTLP_HEADER - Headers to attach to each tracing message.
Example: {'lightstep-access-token': 'mysecrettoken'}

CONCOURSE_TRACING_OTLP_USE_TLS - Whether to use TLS for the OTLP connection.

CONCOURSE_TRACING_SERVICE_NAME - Service name to attach to traces as metadata.
Example: concourse-web

CONCOURSE_TRACING_STACKDRIVER_PROJECTID - GCP's Project ID
Example: my-projectid

CONCOURSE_TSA_BIND_PORT - Port on which to listen for SSH connections.
Default: 2222

CONCOURSE_TSA_CLIENT_ID - Configure the client_id to use when requesting a token

CONCOURSE_TSA_CLIENT_SECRET - Configure the client_secret to use when requesting a token

CONCOURSE_TSA_GARDEN_REQUEST_TIMEOUT - How long to wait for requests to Garden to complete. 0 means no timeout.
Example: 5m

CONCOURSE_TSA_HEARTBEAT_INTERVAL - Interval on which to register workers with the ATC.
Default: 30s

CONCOURSE_TSA_LOG_LEVEL - The log level for the TSA.
Default: info

CONCOURSE_VAULT_AUTH_BACKEND - Auth backend to use for logging in to Vault.

CONCOURSE_VAULT_AUTH_BACKEND_MAX_TTL - Time after which to force a re-login. If not set, the token will just be continuously renewed.

CONCOURSE_VAULT_AUTH_PARAM - Key-value parameters to provide when logging in with the backend.
Example: {'role_id': 'abc123', 'secret_id': 'def456'}

CONCOURSE_VAULT_CLIENT_TOKEN - Client token to use for accessing your Vault server.

CONCOURSE_VAULT_INSECURE_SKIP_VERIFY - Enable insecure SSL verification.

CONCOURSE_VAULT_LOGIN_TIMEOUT - The maximum time to wait to authenticate with Vault.
Example: 60s

CONCOURSE_VAULT_LOOKUP_TEMPLATES - Path templates for credential lookup.

CONCOURSE_VAULT_NAMESPACE - Vault namespace to use for authentication and secret lookup. Currently only supported for Enterprise Vault.

CONCOURSE_VAULT_PATH_PREFIX - Path under which to look up shared team/pipeline credentials.
Default: /concourse

CONCOURSE_VAULT_QUERY_TIMEOUT - The maximum time to wait for Vault queries to resolve.
Example: 60s

CONCOURSE_VAULT_RETRY_INITIAL - The initial time between retries when logging in or re-authing a secret.

CONCOURSE_VAULT_RETRY_MAX - The maximum time between retries when logging in or re-authing a secret.

CONCOURSE_VAULT_SERVER_NAME - If set, is used to set the SNI host when connecting via TLS.

CONCOURSE_VAULT_SHARED_PATH - Path under which to lookup shared credentials.

CONCOURSE_VAULT_URL - Vault server URL to use for parameterizing credentials.

CONCOURSE_X_FRAME_OPTIONS - The value to set for X-Frame-Options header.
Example: deny