boundary/website/content/docs/configuration/worker.mdx

---
layout: docs
page_title: Worker - Configuration
sidebar_title: worker
description: |-
  The worker stanza configures worker-specifc parameters.
---

# `worker` Stanza

The `worker` stanza configures Boundary worker-specific parameters.

```hcl
worker {
  name = "example-worker"
  description = "An example worker"
  public_addr = "5.1.23.198"
}
```

- `name` - Specifies a unique name of this worker within the Boundary worker cluster.

- `description` - Specifies a friendly description of this worker.

- `public_addr` - Specifies the public IP address for the worker to be reached on. This is useful for cloud environments that do not bind a publicly accessible IP to a NIC on the host directly, such as an Amazon EIP.

- `controllers` - A list of IP addresses for reaching controllers on port :9202.

- KMS block designated for `worker-auth` - This is the KMS configuration for authentication between the workers and controllers and must be present. Example:
```hcl
kms "aead" {
	purpose = "worker-auth"
	aead_type = "aes-gcm"
	key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
	key_id = "global_worker-auth"
}
```

# Complete Configuration Example

```hcl
listener "tcp" {
	purpose = "proxy"
	tls_disable = true
	proxy_protocol_behavior = "allow_authorized"
	proxy_protocol_authorized_addrs = "127.0.0.1"
}

worker {
  # Name attr must be unique across workers if running in HA mode
	name = "demo-worker-1"
	description = "A default worker created demonstration"

  # Workers must be able to reach controllers on :9202
	controllers = [
    "10.0.0.1",
    "10.0.0.2",
    "10.0.0.3",
  ]
}

# must be same key as used on controller config
kms "aead" {
	purpose = "worker-auth"
	aead_type = "aes-gcm"
	key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
	key_id = "global_worker-auth"
}
```