Sidecar Environment Variables
These variables apply to both AWS Secrets Manager and Azure Key Vault, except the ones noted.
| Key | Required/Optional | Description | Example |
|---|---|---|---|
| ALTR_PRIVATE_KEY_CONTENT | Optional | The private key in the key-pair used to authenticate the sidecar in ALTR’s control plane. The public key is registered in ALTR. Do not provide this variable if you have mounted your private key to the sidecar. | -----BEGIN PRIVATE KEY----- ABC ....DEF-----END PRIVATE KEY----- |
| ALTR_PRIVATE_KEY_PATH | Optional | Defines the location of a mounted private key. If not provided, the sidecar assumes a mounted key exists as /app/private.pem | — |
| AWS_DEFAULT_REGION | Required (only for AWS Secrets Manager) | AWS region for Secrets Manager and other AWS services. These are required for database credential retrieval | us-east-2 |
| AWS_REGION | Required (only for AWS Secrets Manager) | ||
| LOG_AUDITS_TO_STDOUT | Optional | This toggle causes logs to be generated and stored, in JSON format, to stdout. The default is false . | false |
| LOG_LEVEL | Optional | Controls the application/root logging level used by sidecar (e.g., DEBUG, INFO, WARN, ERROR). The default is INFO. | DEBUG |
| LOG_MAX_FILE_SIZE | Optional | Maximum size of the active log file before sidecar rotates it (rolled files are compressed archives). The default is 100MB. | 250MB |
| LOG_MAX_HISTORY | Optional | Number of rotated log archives to keep before older ones are deleted. The default is 30. | 14 |
| LOG_ROTATION_INTERVAL_DAYS | Optional | Time-based log rotation interval in days (rotation can happen due to time and/or size - whichever occurs first). The default is 1. | 7 |
| SERVER_BIND_ADDRESS | Optional | IP address the sidecar’s database listener ports bind to; 0.0.0.0 allows external/Docker access, 127.0.0.1 limits to local machine only. The default is 0.0.0.0. | 127.0.0.1 |
| SIDECAR_CONFIG_REFRESH_INTERVAL | Optional | How often the runtime polls the control plane / data plane for updated sidecar configuration and applies changes (e.g., listener ports/bindings/flags). The default is 5 minutes. | 30s |
| SIDECAR_DATAPLANE_BASE_URL | Required | Base URL for the control plane API that manages configuration and policies. This is the Data Plan URL that you copy from ALTR once you register the sidecar to ALTR. | https://sc-data-trunnion1.568950776381.sandbox.ct.dev.altr.com |
| SIDECAR_HEALTH_CHECK_IP | Optional | IP address the health-check endpoint binds to (port 8080 is fixed); set to 0.0.0.0 if a load balancer must reach it. Used for customers to check the health of a deployed sidecar. The default is 127.0.0.1. | 0.0.0.0 |
| SIDECAR_ID | Required | Unique identifier for this specific sidecar instance. It is used to identify this sidecar in the control plane. This is the Sidecar ID that you copy from ALTR once you register the sidecar to ALTR. | 1db4ee3c-0e1d-43cc-a5ef-ee8cb209a2ea |
| SIDECAR_INSTANCE_ID | Optional | The ID that the sidecar software uses to identify itself when communicating with ALTR. If it is not set, the instance generates a random UUID. Setting an Instance ID provides a consistent identifier that makes monitoring and troubleshooting easier across reboots. | 4fc6f120-e666-4a9b-afe6-63a3914aa0ab |
| SIDECAR_ORG_ID | Required | Your organization’s identifier in ALTR. This ID is used for auditing, telemetry and configuration retrieval. This is the Client ID visible once you register the sidecar to ALTR. | 8cd73ffc-2826-4b87-a10b-f9b04afeb6c0 |
| SIDECAR_POLICY_REFRESH_INTERVAL | Optional | Defines how often (in minutes) to refresh policies from the control plane. | 1 |
| SIDECAR_TAGS | Optional | Comma-separated key=value telemetry tags used to label/group sidecar deployments. If not set, the default is no tags. If set, it must be non-empty, else start up fails. NOTES: Format: comma-separated pairs: key=value,key2=value2 Strict parsing: every comma-delimited segment must contain exactly ONE unescaped ’=’ Escaping: use ’=’ to include a literal ’=’ in a key or value (e.g., my=key=value or key=val=ue) Backslashes: ONLY ’=’ is allowed; other escapes like ’\’ or ‘\u’ are invalid (Windows paths with ” will fail—use forward slashes) Limits: max 50 unique tags (after duplicate-key consolidation) Key rules: 1–128 chars; must NOT start with lowercase ‘altr:’ Value rules: 0–256 chars (empty value allowed, e.g., key=) Allowed characters (keys/values): Unicode letters, numbers, spaces, and: _ . : / = + - @ Not allowed: commas or quotes in keys/values Duplicates: duplicate keys are allowed; later values overwrite earlier ones (“last one wins”) Safety: tags may be logged once at startup and are sent upstream—do not put secrets/PII in them | env=prod,region=us-east-1,owner=platform-team1 |