--- title: Policy Editor configuration with runtime environment variables description: You do not have to hard-code values for policy configuration keys in an options file in the Policy Editor configuration. You can specify values for policy configuration keys at runtime using environment variables. component: pingauthorize version: 11.0 page_id: pingauthorize:pingauthorize_server_administration_guide:paz_use_env_vars canonical_url: https://docs.pingidentity.com/pingauthorize/11.0/pingauthorize_server_administration_guide/paz_use_env_vars.html revdate: April 28, 2025 section_ids: example-set-policy-information-provider-uri-using-an-environment-variable: "Example: Set policy information provider URI using an environment variable" example-set-trust-store-details-using-an-environment-variable: "Example: Set trust store details using an environment variable" --- # Policy Editor configuration with runtime environment variables You do not have to hard-code values for policy configuration keys in an options file in the Policy Editor configuration. You can specify values for policy configuration keys at runtime using environment variables. To use environment variables, specify a policy configuration key value in the options file using the `${variableName}` notation, and then define the environment variable before starting the Policy Editor. ## Example: Set policy information provider URI using an environment variable This example takes the scenario in [Define policy configuration keys in a development environment](paz_env_specific_trust_framework.html#define_policy_config_keys_develop) and modifies it to specify the Consent API base URI at runtime using an environment variable. To specify the base URI using an environment variable: 1. Make a copy of the default options file. ```shell $ cp config/options.yml my-options.yml ``` 2. Edit the new options file and define a policy configuration key in the core section called `ConsentBaseUri`. Instead of hard-coding its value, specify a variable called `CONSENT_BASEURI`. ``` core: ConsentBaseUri: ${CONSENT_BASEURI} # Other options omitted for brevity... ``` 3. Stop the GUI server. ```shell $ bin/stop-server ``` 4. Run `setup` using the `--optionsFile` argument. Customize all other options as appropriate for your needs. ```shell $ bin/setup demo \ --adminUsername admin \ --generateSelfSignedCertificate \ --decisionPointSharedSecret pingauthorize \ --hostname \ --port \ --adminPort \ --licenseKeyFile \ --optionsFile my-options.yml ``` 5. Set the value of the `CONSENT_BASEURI` environment variable and then start the server. ```shell $ export CONSENT_BASEURI=https://consent-us-east.example.com/consent/v1; bin/start-server ``` To set a different host name, redefine the `CONSENT_BASEURI` environment variable and restart the server. ```shell $ bin/stop-server $ export CONSENT_BASEURI=https://consent-us-west.example.com/consent/v1; bin/start-server ``` ## Example: Set trust store details using an environment variable This example takes the scenario in [Example: Configure a trust store for a policy information provider](paz_config_trust_store_policy_info.html) and modifies it to specify the trust store password at runtime using an environment variable. Given a Java KeyStore (JKS) trust store named `my-ca-truststore.jks` with the password `password123` and a trusted root certificate with the alias `my-ca`, create an options file with details about the trust store. Instead of hard-coding the trust store password, specify it as an environment variable. To specify the password as an environment variable: 1. Make a copy of the default options file. ```shell $ cp config/options.yml my-options.yml ``` 2. To edit the new options file and define the key store details, add an item in the `truststores` section. Specify the password value using the `${ENVIRONMENT_VARIABLE}` notation. Also, assign the password to a policy configuration key so it can be used in the Trust Framework. ``` core: TrustStorePassword: ${TRUST_STORE_PASSWORD} truststores: - name: MyCATrustStore resource: /path/to/my-ca-truststore.jks # TRUST_STORE_PASSWORD is an environment variable password: ${TRUST_STORE_PASSWORD} # Other options omitted for brevity... ``` 3. Stop the Policy Editor. ```shell $ bin/stop-server ``` 4. Run `setup` using the `--optionsFile` argument. Customize all other options as appropriate for your needs. ```shell $ bin/setup demo \ --adminUsername admin \ --generateSelfSignedCertificate \ --decisionPointSharedSecret pingauthorize \ --hostname \ --port \ --adminPort \ --licenseKeyFile \ --optionsFile my-options.yml ``` 5. Set the value of the `TRUST_STORE_PASSWORD` environment variable and start the server. ```shell $ export TRUST_STORE_PASSWORD=password123; bin/start-server ``` The policy configuration key that you defined can be used in the Trust Framework. You must first create an attribute to hold the policy configuration key value. Add an attribute with the following settings. | Property | Value | | -------------- | ------------------ | | Name | TrustStorePassword | | Resolver Type | Configuration Key | | Resolver Value | TrustStorePassword | The following image shows the attribute in the Policy Editor. ![Screen capture illustrating the TrustStorePassword attribute, configured as specified, in the Policy Editor](_images/bmo1585575707982.png) After you define the policy information provider in the Trust Framework, you can refer to the trust store password using the TrustStorePassword attribute. ![Screen capture illustrating the Certificate Validation section, configured as specified, in the Policy Editor](_images/dki1585575939991.png) If you later use a trust store with a different password, you can redefine the `TRUST_STORE_PASSWORD` environment variable and restart the server. ```shell $ bin/stop-server $ export TRUST_STORE_PASSWORD=new-password; bin/start-server ```