AWS Parameter Store

View as Markdown

Krenalis can load its configuration from AWS Systems Manager Parameter Store. This provides an alternative to environment variables when running Krenalis on AWS.

Use the -config-store flag to enable Parameter Store:

krenalis -config-store=aws:<region>:<prefix>

<region> is the AWS region, and <prefix> is the base path used to read parameters.

Example

krenalis -config-store=aws:us-east-1:/app/prod

Krenalis reads parameters under the specified prefix:

/app/prod/db/host
/app/prod/db/port
/app/prod/db/username
/app/prod/db/password

Parameters in this document are shown as if <prefix> were /. When using a different prefix, prepend it to each parameter.

Database

Use these parameters to configure the PostgreSQL connection.

Parameter Description
/db/host Address of the PostgreSQL server. Example: localhost.
Default: 127.0.0.1
/db/port Port number used by PostgreSQL.
Default: 5432
/db/username PostgreSQL username.
/db/password PostgreSQL password. In testing environments or other contexts where the server does not require a password (e.g. trust auth in pg_hba.conf), this can be left empty or omitted. Default: no password.
/db/database PostgreSQL database name.
/db/schema Schema within the PostgreSQL database to use.
Default: public
/db/max-connections Maximum number of connections to PostgreSQL. Must be >= 2.
Default: 8

Using AWS Secrets Manager

Instead of defining database connection parameters individually, you can reference a single secret stored in AWS Secrets Manager.

This approach is recommended when running on AWS, as Secrets Manager supports automatic credential rotation and secure lifecycle management.

Create a secret named:

<prefix>/db

where <prefix> is the same prefix used for Parameter Store.

Secret format

The secret must contain a JSON object:

{
  "engine": "postgres",
  "host": "mydb.abcdefg.us-east-1.rds.amazonaws.com",
  "username": "app_user",
  "password": "supersecret",
  "dbname": "mydatabase",
  "port": 5432
}

Behavior

When the secret /db is present, Krenalis uses it to populate:

  • /db/host
  • /db/port
  • /db/username
  • /db/password
  • /db/database

Notes

  • The secret must be accessible with the configured AWS credentials.
  • The /db secret must contain a SecretString value (SecretBinary is not supported).
  • The engine field must be postgres when using AWS rotation templates.
  • /db/schema and /db/max-connections are not part of the secret.
  • Do not mix /db/* parameters with the secret reference.

See also: Move hardcoded database credentials to AWS Secrets Manager.

HTTP server

Parameter Description
/http/host Server address to bind to. It can be an IPv4 address, an IPv6 address, or a hostname. Examples: localhost, [::1].
Default: 127.0.0.1
/http/port Port number on which the server listens. Example: 443.
Default: 2022
/http/tls/enabled Enable or disable TLS (HTTPS). You can disable TLS if a reverse proxy or load balancer in front of the Krenalis server is handling the TLS termination, as it will manage the encryption and decryption of traffic.
Default: false
/http/tls/cert-file Path to the TLS certificate file (e.g., .crt file). It is required if TLS is enabled.
/http/tls/key-file Path to the private key file associated with the TLS certificate. It is required if TLS is enabled.
/http/tls/dns-names Comma-separated list of hostnames or IP addresses that the TLS certificate is expected to be valid for. Use this when Krenalis is behind a reverse proxy or load balancer and the connection to the Krenalis server still uses TLS. If not set, Krenalis derives the expected names from /http/external-url and /http/external-event-url when they use https. If the certificate does not match one of them, Krenalis writes a warning to the log.
/http/external-url Public address through which the server can be accessed from outside the internal network. If not set, it is determined by the combination of /http/tls/enabled, /http/host, and /http/port. Example: https://krenalis.example.com:8080/.
/http/external-event-url Public address through which the event ingestion endpoint (/v1/events) can be accessed from outside the internal network. If not set, it is the combination of the external URL and /v1/events. Example: https://krenalis.example.com:8080/v1/events.
/http/read-header-timeout Max time to read request headers, including TLS handshake.
Default: 2s
/http/read-timeout Max time to read the full request (headers + body), starting from first byte.
Default: 5s
/http/write-timeout Max time for handler execution and sending response. For TLS, includes handshake.
Default: 30s
/http/idle-timeout Max idle time between requests on keep-alive connections.
Default: 120s

NATS

Parameters used to access the NATS server required by Krenalis.

When connecting to NATS, Krenalis passes all configured authentication parameters to the NATS server, which applies its authentication rules in the following order: NKey, token, username/password.

Parameter Description
/nats/url One or more URLs, comma-separated, for a single server or multiple servers in the same NATS cluster. Each URL has the form <scheme>://<server>:<port>, where <scheme> can be nats, tls, ws, or wss. <server>:<port> is accepted and treated as nats://<server>:<port>. Default: nats://127.0.0.1:4222.
/nats/nkey Private key of a NATS user NKey (starts with SU). The corresponding public key (starts with UD) should be configured on the server.
/nats/token Authentication token.
/nats/user Username used for authentication.
/nats/password Password associated with the specified user.
/nats/storage Storage backend used for streams. Supported values are file and memory. If the stream already exists, Krenalis verifies that it uses the configured storage type. If the stream already exists, its storage type must match this setting. If it does not, Krenalis fails to start and reports an error. Default: file.
/nats/compression Compression algorithm used for file-based storage. Supported values are unset (no compression) and s2. This parameter requires file-based storage: if /nats/storage is set to memory, Krenalis fails to start. Default: no compression.
/nats/replicas Number of NATS cluster nodes used to replicate events. Common values are 1 (no replicas), 3, and 5. Values 2 and 4 are supported but rarely used. If the number of replicas exceeds the number of available NATS nodes, Krenalis fails to start and reports an error. Default: 1.

Team member emails and SMTP

Parameters for emails that are sent to members.

Parameter Description
/invite-members-via-email Make the creation of new team members happen via email invitation. Use true to allow adding members with email invitation.
Default: false
/member-email-from "From" address from which team member emails are sent (mandatory to send emails to members). Example: Org <org@example.com> or org@example.com.

If you enable the parameters above, then you need to configure your SMTP server parameters:

Parameter Description
/smtp/host SMTP server address.
/smtp/port SMTP server port.
/smtp/username SMTP username.
/smtp/password SMTP password.

General

Parameter Description
/kms Key management system used to store and access the master key that Krenalis uses to encrypt application data.

You can provide a raw key directly by setting the value to key:<base64-encoded 32-byte key>.

To use AWS KMS, set the value to aws:<region>:<key-id>, where <region> is an AWS region and <key-id> is the KMS key identifier (e.g., full ARN or alias such as alias/your-key). Ensure the appropriate AWS credentials are available in the environment.

If the master key changes, Krenalis will no longer be able to decrypt previously encrypted data and will fail to start.

Required
/organizations-api-key API key for the organizations management endpoints. When not set, these endpoints are disabled and return an authentication error. When set, requests must include it as a Bearer token in the Authorization header. Format: org_ followed by exactly 43 alphanumeric characters ([a-zA-Z0-9]), for a total of 47 characters. For more details, see the Organizations API key section.
/maxmind-db-path Path to the MaxMind database file (usually with extension '.mmdb') for automatically adding geolocation information to the events. If not set, no geolocation information is automatically added to the events by Krenalis, so it is only possible to provide location information explicitly.
/termination-delay Delay time before gracefully shutting down the server. Example: 1s (1 second), 200ms (200 milliseconds).
Default: no delay
/javascript-sdk-url URL that serves the JavaScript SDK.
Default: https://cdn.krenalis.com/krenalis.min.js
/telemetry-level Level for telemetry data sent by Krenalis: none (no telemetry data will be sent), errors (only telemetry data related to errors will be sent), stats (only telemetry data related to software usage statistics will be sent), all (both types of telemetry data (errors and stats) will be sent).
Default: all
/prometheus-metrics-enabled Enable or disable the /metrics endpoint for Prometheus monitoring.
Default: false
/external-assets-urls List of base URLs (comma-separated) from which Krenalis retrieves external assets (as icons) related to connector and data warehouse brands. If an image is not available at the first URL, the second is called, and so on, until eventually a default image is used.
Default: https://assets.krenalis.com/
/potential-connectors-url URL of the "potentials.json" connector file which contains the connectors that may be implemented in future versions of Krenalis. Set to none to not retrieve any file.
Default: https://assets.krenalis.com/admin/connectors/potentials.json
/max-queued-events-per-destination Maximum size of the event queue used by a destination connection to send events to an application. This value limits memory usage and also caps the maximum number of in-flight events. If not set, the default value is 50000. The minimum allowed value is 1. This parameter may be replaced in the future by alternative memory control mechanisms.

Transformers

The following parameters let you choose how transformations are executed. Krenalis can run them either using AWS Lambda or locally. In production, you must use AWS Lambda only. The local mode is meant for testing or evaluating Krenalis when running with Docker.

AWS Lambda

Accessing AWS Lambda is accomplished by reading the parameters to connect to AWS, as expected by Amazon AWS. In addition to this configuration, you must provide these parameters to Krenalis to complete the Lambda configuration:

Parameter Description
/transformers/provider Set to aws-lambda, to use the AWS Lambda provider for transformations.
/transformers/aws-lambda/role AWS IAM Role ARN to be assumed for executing Lambda functions.
/transformers/aws-lambda/nodejs/runtime Node.js runtime version for AWS Lambda. Example: nodejs22.x.
/transformers/aws-lambda/nodejs/layer (Optional) ARN of a Lambda layer for Node.js functions.
/transformers/aws-lambda/python/runtime Python runtime version for AWS Lambda. Example: python3.14.
/transformers/aws-lambda/python/layer (Optional) ARN of a Lambda layer for Python functions.

⚠️ Once you have configured access to AWS Lambda and created pipelines with transformation functions, those pipelines will stop working if you change your AWS Lambda configuration by referencing another AWS Lambda instance.

Local

⚠️ Configuring transformers for local execution allows the code in transformation functions defined in Krenalis to execute arbitrary code on the local machine. Therefore, use with caution and only in trusted contexts.

Parameter Description
/transformers/provider Set to local, to use the local provider for transformations..
/transformers/local/nodejs/executable Path to the Node.js executable. Example: /usr/bin/node.
/transformers/local/python/executable Path to the Python executable. Example: /usr/bin/python.
/transformers/local/functions-dir Directory where local transformation functions are stored (a subdirectory named krenalis-functions will be created inside the specified path). This directory should be writable by the user executing the Krenalis executable. Example: /var/krenalis-project.
/transformers/local/sudo-user System user under which to run local transformation function processes. Switching to this user is done in Krenalis via sudo. If left blank, the current user is retained and sudo is not invoked.
/transformers/local/doas-user System user under which to run local transformation function processes. Switching to this user is done in Krenalis via doas. If left blank, the current user is retained and doas is not invoked.

If you want to change the file system location of the functions dir once you have already created pipelines with transformation functions, you need to (1) copy the krenalis-functions directory within the new desired location and (2) update the /transformers/local/functions-dir parameter to refer to that new location.