habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

website/docs: include OS-specific docker-compose install instructions + minor fixes (#8975)

Browse Source 
* docs: include OS-specific docker-compose install instructions + minor fixes

* Update website/docs/installation/kubernetes.md

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Fletcher Heisler <fheisler@users.noreply.github.com>

* Update website/docs/installation/configuration.mdx

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Fletcher Heisler <fheisler@users.noreply.github.com>

* Update website/docs/installation/configuration.mdx

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Fletcher Heisler <fheisler@users.noreply.github.com>

* Update configuration.mdx HTTPS description clarification

Signed-off-by: Fletcher Heisler <fheisler@users.noreply.github.com>

* Update certificates.md for more clarity, simpler language

Signed-off-by: Fletcher Heisler <fheisler@users.noreply.github.com>

* Update kubernetes.md . > ;

Signed-off-by: Fletcher Heisler <fheisler@users.noreply.github.com>

* Update configuration.mdx clarifications

Signed-off-by: Fletcher Heisler <fheisler@users.noreply.github.com>

* bye windows

* take old config env vars back out

---------

Signed-off-by: Fletcher Heisler <fheisler@users.noreply.github.com>
Co-authored-by: Fletcher Heisler <fletcher@goauthentik.io>
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
This commit is contained in:
Fletcher Heisler
2024-03-25 11:33:19 -04:00
committed by GitHub
parent 7f8b8a7eb5
commit d506e5d50c
8 changed files with 90 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
website/docs/core/certificates.md
View File

@ -8,7 +8,7 @@ Certificates in authentik are used for the following use cases:
- Signing JSON Web Tokens for OAuth and OIDC
- Connecting to remote docker hosts using the Docker integration
- Verifying LDAP Servers' certificates
- Encrypting outposts's endpoints
- Encrypting outposts' endpoints
## Default certificate
@ -16,15 +16,15 @@ Every authentik install generates a self-signed certificate on the first start.
This certificate is generated to be used as a default for all OAuth2/OIDC providers, as these don't require the certificate to be configured on both sides (the signature of a JWT is validated using the [JWKS](https://auth0.com/docs/security/tokens/json-web-tokens/json-web-key-sets) URL).
This certificate can also be used for SAML Providers/Sources, just keep in mind that the certificate is only valid for a year. Some SAML applications require the certificate to be valid, so they might need to be rotated regularly.
This certificate can also be used for SAML Providers/Sources, but keep in mind that the certificate is only valid for a year. Some SAML applications require the certificate to be valid, so they might need to be rotated regularly.
For SAML use-cases, you can generate a Certificate that's valid for longer than 1 year, on your own risk.
For SAML use-cases, you can generate a Certificate that's valid for longer than 1 year, at your own risk.
## External certificates
To use externally managed certificates, for example generated with certbot or HashiCorp Vault, you can use the discovery feature.
The docker-compose installation maps a `certs` directory to `/certs`, you can simply use this as an output directory for certbot.
The Docker Compose installation maps a `certs` directory to `/certs`. You can simply use this as an output directory for certbot.
For Kubernetes, you can map custom secrets/volumes under `/certs`.
@ -32,13 +32,13 @@ You can also bind mount single files into the folder, as long as they fall under
- Files in the root directory will be imported based on their filename.
`/foo.pem` Will be imported as the keypair `foo`. Based on its content its either imported as certificate or private key.
`/foo.pem` Will be imported as the keypair `foo`. Based on its content, the file is either imported as a certificate or a private key:
Files containing `PRIVATE KEY` it will imported as private key.
- Files containing `PRIVATE KEY` will imported as private keys.
Otherwise it will be imported as certificate.
- Otherwise the file will be imported as a certificate.
- If the file is called `fullchain.pem` or `privkey.pem` (the output naming of certbot), they will get the name of the parent folder.
- If the file is called `fullchain.pem` or `privkey.pem` (the output naming of certbot), it will get the name of the parent folder.
- Files can be in any arbitrary file structure, and can have any extension.
- If the path contains `archive`, the files will be ignored (to better support certbot setups).
@ -55,7 +55,7 @@ certs/
└── foo.pem
```
Files are checked every 5 minutes, and will trigger an Outpost refresh if the files differ.
Files are checked every 5 minutes and will trigger an Outpost refresh if a file has changed.
#### Manual imports
@ -67,7 +67,7 @@ ak import_certificate --certificate /certs/mycert.pem --private-key /certs/somet
# ak import_certificate --certificate /certs/othercert.pem --name test2
```
This will import the certificate into authentik under the given name. This command is idempotent, meaning you can run it via a cron-job and authentik will only update the certificate when it changes.
This will import the certificate into authentik under the given name. This command is safe to run as a cron job; authentik will only re-import the certificate if it changes.
## Web certificates
@ -75,7 +75,7 @@ Starting with authentik 2021.12.4, you can configure the certificate authentik u
#### Let's Encrypt
To use let's encrypt certificates with this setup, using certbot, you can use this compose override (create or edit a file called `docker-compose.override.yml` in the same folder as the authentik docker-compose file)
To use Let's Encrypt certificates with this setup, using certbot, you can use this compose override (create or edit a file called `docker-compose.override.yml` in the same folder as the authentik docker-compose file)
```yaml
version: "3.2"
@ -98,7 +98,7 @@ services:
- --dns-route53
```
Afterwards, run `docker compose up -d`, which will start certbot and generate your certificate. Within a few minutes, you'll see the certificate in your authentik interface. (If the certificate does not appear, restart the worker container. This is caused by incompatible permissions set by certbot).
Afterward, run `docker compose up -d`, which will start certbot and generate your certificate. Within a few minutes, you'll see the certificate in your authentik interface. (If the certificate does not appear, restart the worker container. This is caused by incompatible permissions set by certbot).
Navigate to _System -> Brands_, edit any brand and select the certificate of your choice.

12
website/docs/index.mdx
View File

@ -7,21 +7,21 @@ slug: /
Our tech docs cover the typical topics, from installation to configuration, adding providers, defining policies and creating login flows, event monitoring, security, and attributes. [Enterprise](./enterprise/index.md) version documentation is included here, within our standard tech docs.
- For information about integrating a specific application or software into authentik, refer to our [Integrations](../integrations) section, accessible from the top menu-bar.
- For information about integrating a specific application or software into authentik, refer to our [Integrations](../integrations) section, accessible from the top menu bar.
- For developer-focused documentation, such as using our APIs and blueprints, setting up your development environment, translations, or how to contribute, refer to the [Developer](../developer-docs) area, accessible from the top menu-bar.
- For developer-focused documentation, such as using our APIs and blueprints, setting up your development environment, translations, or how to contribute, refer to the [Developer](../developer-docs) area, accessible from the top menu bar.
## What is authentik?
authentik is an open-source Identity Provider, focused on flexibility and versatility. With authentik, site administrators, application developers, and security engineers have a dependable and secure solution for authentication in almost any type of environment. There are robust recovery actions available for the users and applications, including user profile and password management. You can quickly edit, deactivate, or even impersonate a user profile, and set a new password for new users or reset an existing password.
You can use authentik in an existing environment to add support for new protocols, so introducing authentik to your current tech stack doesn't present re-architecting challenges. We already support all of the major providers, such as OAuth2, SAML, LDAP, and SCIM, so you can pick the protocol that you need for each application.
You can use authentik in an existing environment to add support for new protocols, so introducing authentik to your current tech stack doesn't present re-architecting challenges. We support all of the major providers, such as OAuth2, SAML, LDAP, and SCIM, so you can pick the protocol that you need for each application.
The authentik product provides the following consoles:
- **Admin interface**: a visual tool for the creation and management of users and groups, tokens and credentials, application integrations, events, and the Flows that define standard and customizable login and authentication processes. Easy-to-read visual dashboards display system status, recent logins and authentication events, and application usage.
- **User interface**: this console view in authentik displays all of the applications and integrations in which you have implemented authentik. Click on the app that you want to access to open it, or drill down to edit its configuration in the admin interface
- **User interface**: this console view in authentik displays all of the applications and integrations in which you have implemented authentik. Click on the app that you want to access to open it, or drill down to edit its configuration in the admin interface.
- **Flows**: [_Flows_](./flow) are the steps by which the various _Stages_ of a login and authentication process occurs. A stage represents a single verification or logic step in the sign-on process. authentik allows for the customization and exact definition of these flows.
@ -29,11 +29,11 @@ The authentik product provides the following consoles:
Refer to the installation steps in either [Docker-compose](installation/docker-compose) or [Kubernetes](installation/kubernetes).
For more information about configuration, Beta versions, and additional installation options, see our main [Installation](installation) section.
For more information about configuration, beta versions, and additional installation options, see our main [Installation](installation) section.
## Screenshots
authentik can use Light or Dark mode for the Admin interface, User interface and the flow interface.
authentik can use Light or Dark mode for the Admin interface, User interface and the Flow interface.
import "react-before-after-slider-component/dist/build.css";
import ReactBeforeSliderComponent from "react-before-after-slider-component";

19
website/docs/installation/configuration.mdx
View File

@ -110,7 +110,7 @@ To check if your config has been applied correctly, you can run the following co
## Broker Settings
- `AUTHENTIK_BROKER__URL`: Broker configuration URL, defaults to Redis using [the respective settings](#redis-settings)
- `AUTHENTIK_BROKER__TRANSPORT_OPTIONS`: Base64 encoded broker transport options
- `AUTHENTIK_BROKER__TRANSPORT_OPTIONS`: Base64-encoded broker transport options
:::info
`AUTHENTIK_REDIS__CACHE_TIMEOUT_REPUTATION` only applies to the cache expiry, see [`AUTHENTIK_REPUTATION__EXPIRY`](#authentik_reputation__expiry) to control how long reputation is persisted for.
@ -144,19 +144,19 @@ These settings affect where media files are stored. Those files include applicat
- `AUTHENTIK_STORAGE__MEDIA__S3__SECURITY_TOKEN`: Security token to authenticate to S3. May be omitted. Supports hot-reloading.
- `AUTHENTIK_STORAGE__MEDIA__S3__BUCKET_NAME`: Name of the bucket to use to store files.
- `AUTHENTIK_STORAGE__MEDIA__S3__CUSTOM_DOMAIN`: Domain to use to create URLs for users. Mainly useful for non-AWS providers. May include a port. Must include the bucket. Example: `s3.company:8080/authentik-media`.
- `AUTHENTIK_STORAGE__MEDIA__S3__SECURE_URLS`: Whether URLS created for users use `http` or `https`. Defaults to `true`.
- `AUTHENTIK_STORAGE__MEDIA__S3__SECURE_URLS`: Whether URLs created use HTTPS (set to `true` by default) or HTTP.
## authentik Settings
### `AUTHENTIK_SECRET_KEY`
Secret key used for cookie signing and unique user IDs, don't change this after the first install.
Secret key used for cookie signing and unique user IDs. Do not change this after the first install.
### `AUTHENTIK_LOG_LEVEL`
Log level for the server and worker containers. Possible values: debug, info, warning, error
Log level for the server and worker containers. Possible values: `debug`, `info`, `warning`, `error`.
Starting with 2021.12.3, you can also set the log level to _trace_. This has no affect on the core authentik server, but shows additional messages for the embedded outpost.
Starting with 2021.12.3, you can also set the log level to `trace`. This has no effect on the core authentik server, but shows additional messages for the embedded outpost.
:::danger
Setting the log level to `trace` will include sensitive details in logs, so it shouldn't be used in most cases.
@ -188,7 +188,7 @@ Disable the inbuilt update-checker. Defaults to `false`.
Enable error reporting. Defaults to `false`.
Error reports are sent to https://sentry.io, and are used for debugging and general feedback. Anonymous performance data is also sent.
Error reports are sent to https://sentry.io and are used for debugging and general feedback. Anonymous performance data is also sent.
- `AUTHENTIK_ERROR_REPORTING__SENTRY_DSN`
@ -202,8 +202,7 @@ Disable the inbuilt update-checker. Defaults to `false`.
The environment tag associated with all data sent to Sentry. Defaults to `customer`.
When error reporting has been enabled to aid in debugging issues, this should be set to a unique
value, such as an e-mail address.
When error reporting has been enabled to aid in debugging issues, this should be set to a unique value, such as an email address.
- `AUTHENTIK_ERROR_REPORTING__SEND_PII`
@ -326,7 +325,7 @@ Requires authentik 2022.9
Configure how many gunicorn worker processes should be started (see https://docs.gunicorn.org/en/stable/design.html).
If running in Kubernetes, the default value is set to 2 and should in most cases not be changed, as scaling can be done with multiple pods running the web server.
Otherwise, authentik will use 1 worker for each 4 CPU cores + 1 as a value below 2 workers is not recommended.
Otherwise, authentik will use 1 worker for each 4 CPU cores + 1. A value below 2 workers is not recommended.
### `AUTHENTIK_WEB__THREADS`
@ -358,7 +357,7 @@ Additional settings are configurable using the Admin interface, under **System**
## Custom python settings
To modify additional settings further than the options above allow, you can create a custom python file and mount it to `/data/user_settings.py`. This file will be loaded on startup by both the server and the worker. All default settings are [here](https://github.com/goauthentik/authentik/blob/main/authentik/root/settings.py)
To modify additional settings further than the options above allow, you can create a custom Python file and mount it to `/data/user_settings.py`. This file will be loaded on startup by both the server and the worker. All default settings are [here](https://github.com/goauthentik/authentik/blob/main/authentik/root/settings.py)
:::caution
Using these custom settings is not supported and can prevent your authentik instance from starting. Use with caution.

61
website/docs/installation/docker-compose.md → website/docs/installation/docker-compose.mdx
View File

@ -2,7 +2,7 @@
title: Docker Compose installation
---
This installation method is for test-setups and small-scale production setups.
This installation method is for test setups and small-scale production setups.
## Requirements
@ -12,32 +12,51 @@ This installation method is for test-setups and small-scale production setups.
## Video
<iframe width="560" height="315" src="https://www.youtube.com/embed/O1qUbrk4Yc8?si=HiSBjmJYhE_oJhB1&amp;start=22" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe>
<iframe
width="560"
height="315"
src="https://www.youtube.com/embed/O1qUbrk4Yc8?si=HiSBjmJYhE_oJhB1&amp;start=22"
title="YouTube video player"
frameborder="0"
allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share"
allowfullscreen
></iframe>
## Preparation
To download the latest `docker-compose.yml` open your terminal and navigate to the directory of your choice.
Run the following command:
import Tabs from "@theme/Tabs";
import TabItem from "@theme/TabItem";
{/* prettier-ignore */}
<Tabs groupId="OS">
<TabItem value="Linux" label="Linux" default>
```shell
wget https://goauthentik.io/docker-compose.yml
```
</TabItem>
<TabItem value="MacOS" label="MacOS">
```shell
curl -O https://goauthentik.io/docker-compose.yml
```
</TabItem>
</Tabs>
If this is a fresh authentik installation, you need to generate a password and a secret key. Use a secure password generator of your choice such as pwgen, or you can use `openssl` as below.
Run the following commands to generate a password and secret key and write them to your `.env` file:
{/* prettier-ignore */}
```shell
wget https://goauthentik.io/docker-compose.yml
echo "PG_PASS=$(openssl rand -base64 36)" >> .env
echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 36)" >> .env
```
If this is a fresh authentik installation, you need to generate a password and a secret key. If you don't already have a password generator installed, you can run this command to install **pwgen**, a popular generator:
```shell
# You can also use openssl instead: `openssl rand -base64 36`
sudo apt-get install -y pwgen
```
Next, run the following commands to generate a password and secret key and write them to your `.env` file:
```shell
echo "PG_PASS=$(pwgen -s 40 1)" >> .env
echo "AUTHENTIK_SECRET_KEY=$(pwgen -s 50 1)" >> .env
# Because of a PostgreSQL limitation, only passwords up to 99 chars are supported
# See https://www.postgresql.org/message-id/09512C4F-8CB9-4021-B455-EF4C4F0D55A0@amazon.com
```
:::info
Because of a PostgreSQL limitation, only passwords up to 99 chars are supported. See: https://www.postgresql.org/message-id/09512C4F-8CB9-4021-B455-EF4C4F0D55A0@amazon.com
:::
To enable error reporting, run the following command:
@ -87,7 +106,7 @@ Do not update or mount `/etc/timezone` or `/etc/localtime` in the authentik cont
This will not give any advantages. It will cause problems with OAuth and SAML authentication, e.g. [see this GitHub issue](https://github.com/goauthentik/authentik/issues/3005).
:::
Afterwards, run these commands to finish:
Afterward, run these commands to finish:
```shell
docker compose pull
@ -98,6 +117,6 @@ The `docker-compose.yml` file statically references the latest version available
To start the initial setup, navigate to `http://<your server's IP or hostname>:9000/if/flow/initial-setup/`.
There you are prompted to set a password for the akadmin user (the default user).
There you are prompted to set a password for the `akadmin` user (the default user).
An explanation about what each service in the docker compose file does, see [Architecture](../core/architecture.md).
For an explanation about what each service in the docker compose file does, see [Architecture](../core/architecture.md).

18
website/docs/installation/kubernetes.md
View File

@ -32,7 +32,7 @@ Create a `values.yaml` file with a minimum of these settings:
```yaml
authentik:
secret_key: "PleaseGenerateA50CharKey"
secret_key: "PleaseGenerateASecureKey"
# This sends anonymous usage-data, stack traces on errors and
# performance data to sentry.io, and is fully opt-in
error_reporting:
@ -60,7 +60,7 @@ See all configurable values on [ArtifactHub](https://artifacthub.io/packages/hel
### Install authentik Helm Chart
Now, execute the following commands to install authentik
Now, execute the following commands to install authentik:
```
helm repo add authentik https://charts.goauthentik.io
@ -72,7 +72,7 @@ During the installation process, the database migrations will be applied automat
### Accessing authentik
Once the installation is complete, access authentik at `https://<ingress-host-name>/if/flow/initial-setup/`. Here, you can set a password for the default akadmin user.
After the installation is complete, access authentik at `https://<ingress-host-name>/if/flow/initial-setup/`. Here, you can set a password for the default `akadmin` user.
### Optional step: Configure global email credentials
@ -87,17 +87,17 @@ email:
# -- SMTP Server emails are sent from, fully optional
host: ""
port: 587
# -- SMTP credentials, when left empty, no authentication will be done
# -- SMTP credentials. When left empty, no authentication will be done.
username: ""
# -- SMTP credentials, when left empty, no authentication will be done
# -- SMTP credentials. When left empty, no authentication will be done.
password: ""
# -- Enable either use_tls or use_ssl, they can't be enabled at the same time.
# -- Enable either use_tls or use_ssl. They can't be enabled at the same time.
use_tls: false
# -- Enable either use_tls or use_ssl, they can't be enabled at the same time.
# -- Enable either use_tls or use_ssl. They can't be enabled at the same time.
use_ssl: false
# -- Connection timeout
# -- Connection timeout in seconds
timeout: 30
# -- Email from address, can either be in the format "foo@bar.baz" or "authentik <foo@bar.baz>"
# -- Email 'from' address can either be in the format "foo@bar.baz" or "authentik <foo@bar.baz>"
from: ""
```

8
website/docs/installation/monitoring.md
View File

@ -2,11 +2,11 @@
title: Monitoring
---
authentik can be easily monitored multiple ways.
authentik can be easily monitored in multiple ways.
## Server monitoring
Configure your monitoring software to send requests to `/-/health/live/`, which will return a HTTP 204 response as long as authentik is running. You can also send HTTP requests to `/-/health/ready/`, which will return HTTP 204 if both PostgreSQL and Redis connections can be/have been established correctly.
Configure your monitoring software to send requests to `/-/health/live/`, which will return a `HTTP 204` response as long as authentik is running. You can also send HTTP requests to `/-/health/ready/`, which will return `HTTP 204` if both PostgreSQL and Redis connections can be/have been established correctly.
## Worker monitoring
@ -14,11 +14,11 @@ The worker container can be monitored by running `ak healthcheck` in the worker
## Outpost monitoring
Both kinds of outpost (proxy and LDAP) listen on a separate port (9300), and can be monitored by sending HTTP requests to `/outpost.goauthentik.io/ping`.
Both kinds of outpost (proxy and LDAP) listen on a separate port (9300) and can be monitored by sending HTTP requests to `/outpost.goauthentik.io/ping`.
---
Both docker-compose and Kubernetes deployments use these methods by default to determine when authentik is ready after starting, and to only route traffic to healthy instances, and unhealthy instances are restarted
Both Docker Compose and Kubernetes deployments use these methods by default to determine when authentik is ready after starting, and to only route traffic to healthy instances; unhealthy instances are restarted.
## Metrics

4
website/docs/installation/reverse-proxy.md
View File

@ -6,9 +6,9 @@ title: Reverse-proxy
Since authentik uses WebSockets to communicate with Outposts, it does not support HTTP/1.0 reverse-proxies. The HTTP/1.0 specification does not officially support WebSockets or protocol upgrades, though some clients may allow it.
:::
If you want to access authentik behind a reverse-proxy, there are a few headers that must be passed upstream:
If you want to access authentik behind a reverse proxy, there are a few headers that must be passed upstream:
- `X-Forwarded-Proto`: Tells authentik and Proxy Providers if they are being served over a HTTPS connection.
- `X-Forwarded-Proto`: Tells authentik and Proxy Providers if they are being served over an HTTPS connection.
- `X-Forwarded-For`: Without this, authentik will not know the IP addresses of clients.
- `Host`: Required for various security checks, WebSocket handshake, and Outpost and Proxy Provider communication.
- `Connection: Upgrade` and `Upgrade: WebSocket`: Required to upgrade protocols for requests to the WebSocket endpoints under HTTP/1.1.

16
website/docs/installation/storage-s3.md
View File

@ -6,9 +6,9 @@ title: S3 storage setup
First, create a user on your S3 storage provider and get access credentials for S3, hereafter referred as `access_key` and `secret_key`.
You'll also need to know which endpoint authentik is going to use to access the S3 API, hereafter referred as `https://s3.provider`.
You will also need to know which endpoint authentik is going to use to access the S3 API, hereafter referred as `https://s3.provider`.
The bucket in which authentik is going to store files is going to be called `authentik-media`. You may need to change this name depending on your S3 provider limitations. Also, we're suffixing the bucket name with `-media` as authentik currently only stores media files, but may use other buckets in the future.
The bucket in which authentik is going to store files is going to be called `authentik-media`. You may need to change this name depending on your S3 provider limitations. Also, we are suffixing the bucket name with `-media` as authentik currently only stores media files, but may use other buckets in the future.
The domain used to access authentik is going to be referred to as `authentik.company`.
@ -18,7 +18,7 @@ You will also need the AWS CLI.
#### Bucket creation
Let's create the bucket in which authentik is going to store files:
Create the bucket in which authentik is going to store files:
```bash
AWS_ACCESS_KEY_ID=access_key AWS_SECRET_ACCESS_KEY=secret_key aws s3api --endpoint-url=https://s3.provider create-bucket --bucket=authentik-media --acl=private
@ -30,7 +30,7 @@ The bucket ACL is set to private, although that is not strictly necessary, as an
#### CORS policy
Next, let's associate a CORS policy to the bucket, to allow the authentik web interface to show images stored in the bucket.
Next, associate a CORS policy to the bucket to allow the authentik web interface to show images stored in the bucket.
First, save the following file locally as `cors.json`:
@ -49,7 +49,7 @@ First, save the following file locally as `cors.json`:
If authentik is accessed from multiple domains, you can add them to the `AllowedOrigins` list.
Let's apply that policy to the bucket:
Apply that policy to the bucket:
```bash
AWS_ACCESS_KEY_ID=access_key AWS_SECRET_ACCESS_KEY=secret_key aws s3api --endpoint-url=https://s3.provider put-bucket-cors --bucket=authentik-media --cors-configuration=file://cors.json
@ -66,13 +66,13 @@ AUTHENTIK_STORAGE__MEDIA__S3__SECRET_KEY=secret_key
AUTHENTIK_STORAGE__MEDIA__S3__BUCKET_NAME=authentik-media
```
If you're using AWS S3 as your S3 provider, add the following:
If you are using AWS S3 as your S3 provider, add the following:
```env
AUTHENTIK_STORAGE__MEDIA__S3__REGION=us-east-1 # Use the region of the bucket
```
If you're not using AWS S3 as your S3 provider, add the following:
If you are not using AWS S3 as your S3 provider, add the following:
```env
AUTHENTIK_STORAGE__MEDIA__S3__ENDPOINT=https://s3.provider
@ -81,7 +81,7 @@ AUTHENTIK_STORAGE__MEDIA__S3__CUSTOM_DOMAIN=s3.provider/authentik-media
The `ENDPOINT` setting specifies how authentik talks to the S3 provider.
The `CUSTOM_DOMAIN` setting specifies how URLs are constructed to be shown on the web interface. For example, an object stored at `application-icons/application.png` with a `CUSTOM__DOMAIN` setting of `s3.provider/authentik-media` will result in a URL of `https://s3.provider/authentik-media/application-icons/application.png`. You can also use subdomains for your buckets depending on what your S3 provider offers: `authentik-media.s3.provider`. Whether HTTPS is used is controlled by the `AUTHENTIK_STORAGE__MEDIA__S3__SECURE_URLS` which defaults to true.
The `CUSTOM_DOMAIN` setting specifies how URLs are constructed to be shown on the web interface. For example, an object stored at `application-icons/application.png` with a `CUSTOM__DOMAIN` setting of `s3.provider/authentik-media` will result in a URL of `https://s3.provider/authentik-media/application-icons/application.png`. You can also use subdomains for your buckets depending on what your S3 provider offers: `authentik-media.s3.provider`. Whether HTTPS is used is controlled by `AUTHENTIK_STORAGE__MEDIA__S3__SECURE_URLS`, which defaults to true.
For more control over settings, refer to the [configuration reference](./configuration.mdx#media-storage-settings)