Identity as Code
This page explains how to configure Identity as Code in the Camunda 8 Self-Managed Orchestration Cluster. Use Identity as Code to create users, roles, groups, authorizations, mapping rules, and tenants at application start.
Use cases
Identity as Code simplifies configuring Self-Managed orchestration clusters across multiple stages. You can create all Identity-related entities on one stage and then deploy them to other stages without further interaction, reducing the chance of error.
Another use case is local development, where a cluster might be recreated regularly.
After Identity creates an entity, changing its configuration does not update the existing entity. Identity checks only the ID to decide whether an entity already exists.
When you deploy with Helm, the most reliable approach is to provide Identity as Code settings through application configs using orchestration.extraConfiguration. The Helm examples below use this pattern so you can apply the same approach consistently across all entity types.
On Helm chart camunda-platform-8.8, orchestration.extraConfiguration is a map (filename: |), not the - file: / content: array form introduced in chart 8.9. You must also set SPRING_CONFIG_IMPORT so Spring Boot loads the mounted file. The examples below show the required 8.8 syntax.
Configure authorizations
- Environment variables
- Helm values
CAMUNDA_SECURITY_INITIALIZATION_AUTHORIZATIONS_0_OWNER_TYPE=USER
CAMUNDA_SECURITY_INITIALIZATION_AUTHORIZATIONS_0_OWNER_ID=john.doe
CAMUNDA_SECURITY_INITIALIZATION_AUTHORIZATIONS_0_RESOURCE_TYPE=RESOURCE
CAMUNDA_SECURITY_INITIALIZATION_AUTHORIZATIONS_0_RESOURCE_ID=*
CAMUNDA_SECURITY_INITIALIZATION_AUTHORIZATIONS_0_PERMISSIONS=CREATE,READ
orchestration:
env:
- name: SPRING_CONFIG_IMPORT
value: "optional:file:/usr/local/camunda/config/identity-as-code.yaml"
extraConfiguration:
identity-as-code.yaml: |
camunda:
security:
initialization:
authorizations:
- ownerType: USER
ownerId: john.doe
resourceType: RESOURCE
resourceId: "*"
permissions:
- CREATE
- READ
Configure groups
- Environment variables
- Helm values
CAMUNDA_SECURITY_INITIALIZATION_GROUPS_0_GROUP_ID=test-group
CAMUNDA_SECURITY_INITIALIZATION_GROUPS_0_NAME="Test Group"
CAMUNDA_SECURITY_INITIALIZATION_GROUPS_0_DESCRIPTION="A cool test group!"
CAMUNDA_SECURITY_INITIALIZATION_GROUPS_0_CLIENTS="ClientA,ClientB,ClientC"
CAMUNDA_SECURITY_INITIALIZATION_GROUPS_0_MAPPING_RULES="RuleA,RuleB,RuleC"
CAMUNDA_SECURITY_INITIALIZATION_GROUPS_0_USERS="UserA,UserB,UserC"
orchestration:
env:
- name: SPRING_CONFIG_IMPORT
value: "optional:file:/usr/local/camunda/config/identity-as-code.yaml"
extraConfiguration:
identity-as-code.yaml: |
camunda:
security:
initialization:
groups:
- groupId: test-group
name: Test Group
description: A cool test group!
clients:
- ClientA
- ClientB
- ClientC
mappingRules:
- RuleA
- RuleB
- RuleC
users:
- UserA
- UserB
- UserC
Configure mapping rules
- Environment variables
- Helm values
CAMUNDA_SECURITY_INITIALIZATION_MAPPINGRULES_0_CLAIMNAME=isAllowedToDoStuff
CAMUNDA_SECURITY_INITIALIZATION_MAPPINGRULES_0_CLAIMVALUE=true
CAMUNDA_SECURITY_INITIALIZATION_MAPPINGRULES_0_MAPPINGRULEID=my-mapping-rule
orchestration:
env:
- name: SPRING_CONFIG_IMPORT
value: "optional:file:/usr/local/camunda/config/identity-as-code.yaml"
extraConfiguration:
identity-as-code.yaml: |
camunda:
security:
initialization:
mappingRules:
- claimName: isAllowedToDoStuff
claimValue: "true"
mappingRuleId: my-mapping-rule
Configure roles
- Environment variables
- Helm values
CAMUNDA_SECURITY_INITIALIZATION_ROLES_0_ROLE_ID=test-role
CAMUNDA_SECURITY_INITIALIZATION_ROLES_0_NAME="Test Role"
CAMUNDA_SECURITY_INITIALIZATION_ROLES_0_DESCRIPTION="A cool test role!"
CAMUNDA_SECURITY_INITIALIZATION_ROLES_0_CLIENTS="client1,client2"
CAMUNDA_SECURITY_INITIALIZATION_ROLES_0_GROUPS="group1,group2"
CAMUNDA_SECURITY_INITIALIZATION_ROLES_0_MAPPING_RULES="m1,m2"
CAMUNDA_SECURITY_INITIALIZATION_ROLES_0_USERS="UserA,UserB,UserC"
orchestration:
env:
- name: SPRING_CONFIG_IMPORT
value: "optional:file:/usr/local/camunda/config/identity-as-code.yaml"
extraConfiguration:
identity-as-code.yaml: |
camunda:
security:
initialization:
roles:
- roleId: test-role
name: Test Role
description: A cool test role!
clients:
- client1
- client2
groups:
- group1
- group2
mappingRules:
- m1
- m2
users:
- UserA
- UserB
- UserC
Configure tenants
- Environment variables
- Helm values
CAMUNDA_SECURITY_INITIALIZATION_TENANTS_0_TENANT_ID=tenantId
CAMUNDA_SECURITY_INITIALIZATION_TENANTS_0_NAME="test tenant"
CAMUNDA_SECURITY_INITIALIZATION_TENANTS_0_DESCRIPTION="test tenant description"
CAMUNDA_SECURITY_INITIALIZATION_TENANTS_0_CLIENTS='R1,R2,R3,R4'
CAMUNDA_SECURITY_INITIALIZATION_TENANTS_0_GROUPS='R1,R2,R3,R4'
CAMUNDA_SECURITY_INITIALIZATION_TENANTS_0_MAPPING_RULES='R1,R2,R3,R4'
CAMUNDA_SECURITY_INITIALIZATION_TENANTS_0_ROLES='R1,R2,R3,R4'
CAMUNDA_SECURITY_INITIALIZATION_TENANTS_0_USERS='UserA,UserB,UserC'
orchestration:
env:
- name: SPRING_CONFIG_IMPORT
value: "optional:file:/usr/local/camunda/config/identity-as-code.yaml"
extraConfiguration:
identity-as-code.yaml: |
camunda:
security:
initialization:
tenants:
- tenantId: tenantId
name: test tenant
description: test tenant description
clients:
- R1
- R2
- R3
- R4
groups:
- R1
- R2
- R3
- R4
mappingRules:
- R1
- R2
- R3
- R4
roles:
- R1
- R2
- R3
- R4
users:
- UserA
- UserB
- UserC
Configure users
When configuring users, never hardcode the password. Resolve it from a vault instead.
- Environment variables
- Helm values
CAMUNDA_SECURITY_INITIALIZATION_USERS_0_EMAIL=john.doe@example.com
CAMUNDA_SECURITY_INITIALIZATION_USERS_0_NAME="john doe"
CAMUNDA_SECURITY_INITIALIZATION_USERS_0_PASSWORD=*****
CAMUNDA_SECURITY_INITIALIZATION_USERS_0_USERNAME=john.doe
orchestration:
env:
- name: SPRING_CONFIG_IMPORT
value: "optional:file:/usr/local/camunda/config/identity-as-code.yaml"
extraConfiguration:
identity-as-code.yaml: |
camunda:
security:
initialization:
users:
- email: john.doe@example.com
name: John Doe
password: "*****"
username: john.doe