diff --git a/README.md b/README.md index 539c3fd20..9bdb15e23 100644 --- a/README.md +++ b/README.md @@ -61,18 +61,22 @@ There are a few parameters that need to be configured for CMS to run properly, t property | required | notes --------------------------- | -------- | ---------- -JDBC.url | Yes | The JDBC url for the mysql db -JDBC.username | Yes | The JDBC user name for the mysql db -JDBC.password | Yes | The JDBC JDBC.password for the mysql db -root.user.arn | Yes | The arn for the root AWS user, needed to make the KMS keys deletable. -admin.role.arn | Yes | The arn for an AWS user, needed to make the KMS keys deletable. -cms.role.arn | Yes | The arn for the Instance profile for CMS instances, so they can admin KMS keys that they create. -cms.admin.group | Yes | Group that user can be identified by to get admin privileges, currently this just enables users to access `/v1/metadata` see API.md -cms.admin.roles | No | Comma seperated list of ARNs that can auth and access admin endpoints. -cms.auth.connector | Yes | The user authentication connector implementation to use for user auth. -cms.user.token.ttl.override | No | By default user tokens are created with a TTL of 1h, you can override that with this param -cms.iam.token.ttl.override | No | By default IAM tokens are created with a TTL of 1h, you can override that with this param -cms.kms.policy.validation.interval.millis.override | No | By default CMS validates KMS key policies no more than once per minute, you can override that with this param +JDBC.url | Yes | The JDBC url for the mysql db +JDBC.username | Yes | The JDBC user name for the mysql db +JDBC.password | Yes | The JDBC JDBC.password for the mysql db +root.user.arn | Yes | The arn for the root AWS user, needed to make the KMS keys deletable. +admin.role.arn | Yes | The arn for an AWS user, needed to make the KMS keys deletable. +cms.role.arn | Yes | The arn for the Instance profile for CMS instances, so they can admin KMS keys that they create. +cms.admin.group | Yes | Group that user can be identified by to get admin privileges, currently this just enables users to access `/v1/metadata` see API.md +cms.admin.roles | No | Comma separated list of ARNs that can auth and access admin endpoints. +cms.auth.connector | Yes | The user authentication connector implementation to use for user auth. +cms.user.token.ttl.override | No | By default user tokens are created with a TTL of 1h, you can override that with this param +cms.iam.token.ttl.override | No | By default IAM tokens are created with a TTL of 1h, you can override that with this param +cms.kms.policy.validation.interval.millis.override | No | By default CMS validates KMS key policies no more than once per minute, you can override that with this param + +KMS Policies are bound to IAM Principal IDs rather than ARNs themselves. Because of this, we validate the policy at authentication time +to ensure that if an IAM role has been deleted and re-created, that we grant access to the new principal ID. +The API limit for this call is low, so the `cms.kms.policy.validation.interval.millis.override` property is used to throttle this validation. For local dev see `Running CMS Locally`.