The configuration file path is specified with the -c or --config-file command line argument:

The file can be either JSON or YAML format.

Example

  1. services:
  2. acmecorp:
  3. url: https://example.com/control-plane-api/v1
  4. response_header_timeout_seconds: 5
  5. credentials:
  6. bearer:
  7. token: "bGFza2RqZmxha3NkamZsa2Fqc2Rsa2ZqYWtsc2RqZmtramRmYWxkc2tm"
  8. labels:
  9. app: myapp
  10. region: west
  11. environment: production
  12. bundles:
  13. authz:
  14. service: acmecorp
  15. resource: bundles/http/example/authz.tar.gz
  16. persist: true
  17. polling:
  18. min_delay_seconds: 60
  19. max_delay_seconds: 120
  20. signing:
  21. keyid: global_key
  22. scope: write
  23. decision_logs:
  24. service: acmecorp
  25. reporting:
  26. min_delay_seconds: 300
  27. max_delay_seconds: 600
  28. status:
  29. service: acmecorp
  30. default_decision: /http/example/authz/allow
  31. persistence_directory: /var/opa
  32. keys:
  33. global_key:
  34. algorithm: RS256
  35. key: <PEM_encoded_public_key>
  36. scope: read
  37. caching:
  38. inter_query_builtin_cache:
  39. max_size_bytes: 10000000

Environment Variable Substitution

Environment variables referenced with the ${...} notation within the configuration will be replaced with the value of the environment variable.

Example using BASE_URL and BEARER_TOKEN environment variables:

  1. services:
  2. acmecorp:
  3. url: ${BASE_URL}
  4. credentials:
  5. bearer:
  6. token: "${BEARER_TOKEN}"
  7. discovery:
  8. resource: /configuration/example/discovery
  9. decision: example

The environment variables BASE_URL and BEARER_TOKEN will be substituted in when the config file is loaded by the OPA runtime.

CLI Runtime Overrides

Using opa run there are CLI options to explicitly set config values. These will override any values set in the config file.

There are two options to use: --set and --set-file

Both options take in a key=value format where the key is a selector for the yaml config structure, for example: decision_logs.reporting.min_delay_seconds=300 is equivalent to JSON {"decision_logs": {"reporting": {"min_delay_seconds": 300}}}. Multiple values can be specified with comma separators (key1=value,key2=value2,..). Or with additional --set parameters.

Example using several different options:

  1. opa run \
  2. --set "default_decision=/http/example/authz/allow" \
  3. --set "services.acmecorp.url=https://test-env/control-plane-api/v1" \
  4. --set "services.acmecorp.credentials.bearer.token=\${TOKEN}"

This is equivalent to a YAML config file that looks like:

  1. services:
  2. acmecorp:
  3. url: https://test-env/control-plane-api/v1
  4. credentials:
  5. bearer:
  6. token: ${TOKEN}
  7. labels:
  8. app: myapp
  9. region: west
  10. default_decision: /http/example/authz/allow

The --set-file option is expecting a file path for the value. This allows keeping secrets in files and loading them into the config at run time. For Example:

With a file /var/run/secrets/bearer_token.txt that has contents:

  1. bGFza2RqZmxha3NkamZsa2Fqc2Rsa2ZqYWtsc2RqZmtramRmYWxkc2tm

Then using the --set-file flag for OPA

  1. opa run --set-file "services.acmecorp.credentials.bearer.token=/var/run/secrets/bearer_token.txt"

It will read the contents of the file and set the config value with the token.

Override Limitations
Lists

If using arrays/lists in the configuration the --set and --set-file overrides will not be able to patch sub-objects of the list. They will overwrite the entire index with the new object.

For example, a config.yaml file with contents:

Used with overrides:

  1. opa run \
  2. --config-file config.yaml
  3. --set-file "services[0].credentials.bearer.token=/var/run/secrets/bearer_token.txt"

Will result in configuration like:

  1. services:
  2. - credentials:
  3. bearer:
  4. token: bGFza2RqZmxha3NkamZsa2Fqc2Rsa2ZqYWtsc2RqZmtramRmYWxkc2tm

Because the entire 0 index was overwritten.

It is highly recommended to use objects/maps instead of lists for configuration for this reason.

Empty objects
  1. decision_logs:
  2. plugin: my_plugin
  3. plugins:
  4. my_plugin:
  5. # empty

You can do this by setting the value with null. For example:

  1. opa run --set "decision_logs.plugin=my_plugin" --set "plugins.my_plugin=null"
Keys with Special Characters

If you have a key which contains a special character (., =, etc), like opa.example.com, and want to use the --set or --set-file options you will need to escape the character with a backslash (\).

For example a config section like:

  1. services:
  2. opa.example.com:
  3. url: https://opa.example.com

Could be specified with something like:

--set services.opa\.example\.com.url=https://opa.example.com

Note that when using it in a shell you may need to put it in quotes or escape the \ character too. For example:

--set services."opa\.example\.com".url=https://opa.example.com

or

--set services.opa\\.example\\.com.url=https://opa.example.com

Where the end result passed into OPA still has the \. preserved.

Services

Services represent endpoints that implement one or more control plane APIs such as the Bundle or Status APIs. OPA configuration files may contain multiple services.

Each service may optionally specify a credential mechanism by which OPA will authenticate itself to the service.

Bearer Token

OPA will authenticate using the specified bearer token and schema; to enable bearer token authentication, either the token or the path to the token must be specified. If the latter is provided, on each request OPA will re-read the token from the file and use that token for authentication.

The schema is optional and will default to Bearer if unspecified.

FieldTypeRequiredDescription
services[].credentials.bearer.tokenstringYesEnables token-based authentication and supplies the bearer token to authenticate with.
services[].credentials.bearer.tokenpathstringYesEnables token-based authentication and supplies the path to the bearer token to authenticate with.
services[].credentials.bearer.schemestringNoBearer token scheme to specify.

Client TLS Certificate

OPA will present the specified TLS certificate to authenticate. The paths to the client certificate and the private key are required; the passphrase for the private key is only required if the private key is encrypted.

FieldTypeRequiredDescription
services[].credentials.client_tls.certstringYesThe path to the client certificate to authenticate with.
services[].credentials.clienttls.private_keystringYesThe path to the private key of the client certificate.
services[].credentials.client_tls.private_key_passphrasestringNoThe passphrase to use for the private key.

OAuth2 Client Credentials

OPA will authenticate using a bearer token obtained through the OAuth2 flow. Following successful authentication at the token endpoint the returned token will be cached for subsequent requests for the duration of its lifetime. Note that as per the OAuth2 standard, only the HTTPS scheme is supported for the token endpoint URL.

FieldTypeRequiredDescription
services[].credentials.oauth2.token_urlstringYesURL pointing to the token endpoint at the OAuth2 authorization server.
services[].credentials.oauth2.clientidstringYesThe client ID to use for authentication.
services[].credentials.oauth2.clientsecretstringYesThe client secret to use for authentication.
services[].credentials.oauth2.scopes[]stringNoOptional list of scopes to request for the token.

OAuth2 Client Credentials JWT authentication

OPA will authenticate using a bearer token obtained through the OAuth2 client credentials flow. Rather than providing a client secret along with the request for an access token, the client its identity in the form of a signed JWT. Following successful authentication at the token endpoint the returned token will be cached for subsequent requests for the duration of its lifetime. Note that as per the OAuth2 standard, only the HTTPS scheme is supported for the token endpoint URL.

FieldTypeRequiredDescription
services[].credentials.oauth2.token_urlstringYesURL pointing to the token endpoint at the OAuth2 authorization server.
services[].credentials.oauth2.granttypestringNoDefaults to client_credentials.
services[].credentials.oauth2.clientidstringNoThe client ID to use for authentication.
services[].credentials.oauth2.signingkeystringYesReference to private key used for signing the JWT.
services[].credentials.oauth2.thumbprintstringNoCertificate thumbprint to use for x5t header generation.
services[].credentials.oauth2.additional_claimsmapNoMap of claims to include in the JWT (see notes below)
services[].credentials.oauth2.includejti_claimboolNoInclude a uniquely generated jti claim in any issued JWT
services[].credentials.oauth2.scopes[]stringNoOptional list of scopes to request for the token.

Two claims will always be included in the issued JWT: and exp. Any other claims will be populated from the additional_claims map.

Example

Using the client credentials grant type with JWT client authentication replacing client secret as the credential used at the token endpoint.

  1. services:
  2. remote:
  3. url: ${BUNDLE_SERVICE_URL}
  4. credentials:
  5. oauth2:
  6. token_url: ${TOKEN_URL}
  7. grant_type: client_credentials
  8. client_id: opa-client
  9. signing_key: jwt_signing_key # references the key in `keys` below
  10. include_jti_claim: true
  11. scopes:
  12. - read
  13. - write
  14. additional_claims:
  15. sub: opa-client
  16. iss: opa-${POD_NAME}
  17. bundles:
  18. authz:
  19. service: remote
  20. resource: bundles/http/example/authz.tar.gz
  21. keys:
  22. jwt_signing_key:
  23. algorithm: ES512
  24. private_key: ${BUNDLE_SERVICE_SIGNING_KEY}

OAuth2 JWT Bearer Grant Type

OPA will authenticate using a bearer token obtained through the OAuth2 flow. Rather than providing a client secret along with the request for an access token, the client asserts its identity in the form of a signed JWT. Following successful authentication at the token endpoint the returned token will be cached for subsequent requests for the duration of its lifetime. Note that as per the , only the HTTPS scheme is supported for the token endpoint URL.

FieldTypeRequiredDescription
services[].credentials.oauth2.token_urlstringYesURL pointing to the token endpoint at the OAuth2 authorization server.
services[].credentials.oauth2.granttypestringNoMust be set to jwt_bearer for JWT bearer grant type. Defaults to client_credentials.
services[].credentials.oauth2.signingkeystringYesReference to private key used for signing the JWT.
services[].credentials.oauth2.additionalclaimsmapNoMap of claims to include in the JWT (see notes below)
services[].credentials.oauth2.includejti_claimboolNoInclude a uniquely generated jti claim in any issued JWT
services[].credentials.oauth2.scopes[]stringNoOptional list of scopes to request for the token.

Two claims will always be included in the issued JWT: iat and exp. Any other claims will be populated from the additional_claims map.

Example

Using a bucket as a bundle service backend from outside the cloud account (for access from inside the account, see the GCP Metadata Token section).

AWS Signature

OPA will authenticate with an AWS4 HMAC signature. Several methods of obtaining the necessary credentials are available; exactly one must be specified to use the AWS signature authentication method.

Using Static Environment Credentials

If specifying environment_credentials, OPA will expect to find environment variables for AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_REGION, in accordance with the convention used by the AWS CLI.

Please note that if you are using temporary IAM credentials (e.g. assumed IAM role credentials) you have to provide additional AWS_SESSION_TOKEN or AWS_SECURITY_TOKEN environment variable.

FieldTypeRequiredDescription
services[_].credentials.s3_signing.environment_credentials{}YesEnables AWS signing using environment variables to source the configuration and credentials
Using EC2 Metadata Credentials

If specifying metadata_credentials, OPA will use the AWS metadata services for EC2 or to obtain the necessary credentials when running within a supported virtual machine/container.

To use the EC2 metadata service, the IAM role to use and the AWS region for the resource must both be specified as iam_role and aws_region respectively.

To use the ECS metadata service, specify only the AWS region for the resource as aws_region. ECS containers have at most one associated IAM role.

N.B. Providing a value for iam_role will cause OPA to use the EC2 metadata service even if running inside an ECS container. This may result in unexpected problems if, for example, there is no route to the EC2 metadata service from inside the container or if the IAM role is only available within the container and not from the hosting EC2 instance.

FieldTypeRequiredDescription
services[].credentials.s3_signing.metadata_credentials.aws_regionstringNoThe AWS region to use for the AWS signing service credential method. If unset, the AWS_REGION environment variable must be set
services[].credentials.s3_signing.metadata_credentials.iam_rolestringNoThe IAM role to use for the AWS signing service credential method
Using EKS IAM Roles for Service Account (Web Identity) Credentials

If specifying web_identity_credentials, OPA will expect to find environment variables for AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE, in accordance with the convention used by the .

FieldTypeRequiredDescription
services[].credentials.s3_signing.web_identity_credentials.aws_regionstringYesThe AWS region to use for the sts regional endpoint. Uses the global endpoint by default
services[].credentials.s3_signing.web_identity_credentials.session_namestringNoThe session name used to identify the assumed role session. Default: open-policy-agent
  1. services:
  2. s1:
  3. url: https://s1/example/
  4. s2:
  5. url: https://s2/

Is equivalent to

  1. services:
  2. - name: s1
  3. url: https://s1/example/
  4. - name: s2
  5. url: https://s2/

GCP Metadata Token

OPA will authenticate with a GCP or identity token fetched from the . When one or more scopes is provided an access token is fetched. When a non-empty audience is provided an identity token is fetched. An audience or scopes array is required.

When authenticating to native GCP services such as Google Cloud Storage an access token should be used with the appropriate set of scopes required by the target resource. When authenticating to a third party application such as an application hosted on Google Cloud Run an identity token should be used.

FieldTypeRequiredDescription
services[].credentials.gcp_metadata.audiencestringNoThe audience to use when fetching identity tokens.
services[].credentials.gcpmetadata.endpointstringNoThe metadata endpoint to use.
services[].credentials.gcpmetadata.scopesarrayNoThe set of scopes to use when fetching access token.
services[].credentials.gcpmetadata.access_token_pathstringNoThe access token metadata path to use.
services[].credentials.gcp_metadata.id_token_pathstringNoThe identity token metadata path to use.
Example

Using a Cloud Run service as a bundle service backend.

  1. services:
  2. cloudrun:
  3. url: ${BUNDLE_SERVICE_URL}
  4. response_header_timeout_seconds: 5
  5. credentials:
  6. gcp_metadata:
  7. audience: ${BUNDLE_SERVICE_URL}
  8. bundles:
  9. authz:
  10. service: cloudrun
  11. resource: bundles/http/example/authz.tar.gz
  12. persist: true
  13. polling:
  14. min_delay_seconds: 60
  15. max_delay_seconds: 120

Using as a bundle service backend.

  1. services:
  2. gcs:
  3. url: https://storage.googleapis.com/storage/v1/b/${BUCKET_NAME}/o
  4. response_header_timeout_seconds: 5
  5. credentials:
  6. gcp_metadata:
  7. scopes:
  8. bundles:
  9. authz:
  10. service: gcs
  11. resource: 'bundle.tar.gz?alt=media'
  12. persist: true
  13. polling:
  14. min_delay_seconds: 60
  15. max_delay_seconds: 120

Custom Plugin

If none of the existing credential options work for a service, OPA can authenticate using a custom plugin, enabling support for any authentication scheme.

FieldTypeRequiredDescription
services[_].credentials.pluginstringNoThe name of the plugin to use for authentication
Example

Using a custom plugin for service credentials:

  1. services:
  2. my_service:
  3. url: https://example.com/v1
  4. credentials:
  5. plugin: my_custom_auth
  6. plugins:
  7. my_custom_auth:
  8. foo: bar
  1. package plugins
  2. import (
  3. "github.com/open-policy-agent/opa/plugins"
  4. "github.com/open-policy-agent/opa/plugins/rest"
  5. "github.com/open-policy-agent/opa/runtime"
  6. "github.com/open-policy-agent/opa/util"
  7. )
  8. type Config struct {
  9. Foo string `json:"foo"`
  10. }
  11. type PluginFactory struct{}
  12. type Plugin struct {
  13. manager *plugins.Manager
  14. config Config
  15. stop chan chan struct{}
  16. reconfig chan interface{}
  17. }
  18. func (p *PluginFactory) Validate(manager *plugins.Manager, config []byte) (interface{}, error) {
  19. var parsedConfig Config
  20. if err := util.Unmarshal(config, &parsedConfig); err != nil {
  21. return nil, err
  22. }
  23. return &parsedConfig, nil
  24. }
  25. func (p *PluginFactory) New(manager *plugins.Manager, config interface{}) plugins.Plugin {
  26. return &Plugin{
  27. config: *config.(*Config),
  28. manager: manager,
  29. stop: make(chan chan struct{}),
  30. reconfig: make(chan interface{}),
  31. }
  32. func (p *Plugin) Start(ctx context.Context) error {
  33. p.manager.UpdatePluginStatus(Name, &plugins.Status{State: plugins.StateOK})
  34. return nil
  35. }
  36. func (p *Plugin) Stop(ctx context.Context) {
  37. done := make(chan struct{})
  38. p.stop <- done
  39. <-done
  40. p.manager.UpdatePluginStatus(Name, &plugins.Status{State: plugins.StateNotReady})
  41. return
  42. }
  43. func (p *Plugin) Reconfigure(ctx context.Context, config interface{}) {
  44. p.reconfig <- config
  45. return
  46. }
  47. func (p *Plugin) NewClient(c rest.Config) (*http.Client, error) {
  48. t, err := rest.DefaultTLSConfig(c)
  49. if err != nil {
  50. return nil, err
  51. }
  52. return rest.DefaultRoundTripperClient(t, *c.ResponseHeaderTimeoutSeconds), nil
  53. }
  54. func (p *Plugin) Prepare(req *http.Request) error {
  55. req.Header.Add("X-Custom-Auth-Protocol", "knock knock")
  56. return nil
  57. }
  58. func init() {
  59. runtime.RegisterPlugin("my_custom_auth", &PluginFactory{})

Keys

Keys is a dictionary mapping the key name to the actual key and optionally the algorithm and scope.

FieldTypeRequiredDescription
keys[].keystringYes (unless private_key provided)PEM encoded public key to use for signature verification.
keys[].privatekeystringYes (unless key provided`)PEM encoded private key to use for signing.
keys[].algorithmstringNo (default: RS256)Name of the signing algorithm.
keys[_].scopestringNoScope to use for bundle signature verification.

The following signing algorithms are supported:

NameDescription
ES256ECDSA using P-256 and SHA-256
ES384ECDSA using P-384 and SHA-384
ES512ECDSA using P-521 and SHA-512
HS256HMAC using SHA-256
HS384HMAC using SHA-384
HS512HMAC using SHA-512
PS256RSASSA-PSS using SHA256 and MGF1-SHA256
PS384RSASSA-PSS using SHA384 and MGF1-SHA384
PS512RSASSA-PSS using SHA512 and MGF1-SHA512
RS256RSASSA-PKCS-v1.5 using SHA-256
RS384RSASSA-PKCS-v1.5 using SHA-384
RS512RSASSA-PKCS-v1.5 using SHA-512

Caching represents the configuration of the inter-query cache that built-in functions can utilize.

FieldTypeRequiredDescription
caching.inter_query_builtin_cache.max_size_bytesint64NoInter-query cache size limit in bytes. OPA will drop old items from the cache if this limit is exceeded. By default, no limit is set.

Bundles

Bundles are defined with a key that is the name of the bundle. This name is used in the status API, decision logs, server provenance, etc.

Each bundle can be configured to verify a bundle signature using the keyid and scope fields. The keyid is the name of one of the keys listed under the keys entry.

Signature verification fails if the bundles[_].signing field is configured on a bundle but no .signatures.json file is included in the actual bundle gzipped tarball.

FieldTypeRequiredDescription
bundles[].resourcestringNo (default: bundles/<name>)Resource path to use to download bundle from configured service.
bundles[].servicestringYesName of service to use to contact remote server.
bundles[].polling.min_delay_secondsint64No (default: 60)Minimum amount of time to wait between bundle downloads.
bundles[].polling.maxdelay_secondsint64No (default: 120)Maximum amount of time to wait between bundle downloads.
bundles[].persistboolNoPersist activated bundles to disk.
bundles[].signing.keyidstringNoName of the key to use for bundle signature verification.
bundles[].signing.scopestringNoScope to use for bundle signature verification.
bundles[].signing.exclude_filesarrayNoFiles in the bundle to exclude during verification.
bundles[].size_limit_bytesint64No (default: 1073741824)Size limit for individual files contained in the bundle.
FieldTypeRequiredDescription
status.servicestringYesName of service to use to contact remote server.
status.partition_namestringNoPath segment to include in status updates.
status.consolebooleanNo (default: false)Log the status updates locally to the console. When enabled alongside a remote status update API the service must be configured, the default service selection will be disabled.
status.pluginstringNoUse the named plugin for status updates. If this field exists, the other configuration fields are not required.

Decision Logs

FieldTypeRequiredDescription
discovery.resourcestringYesResource path to use to download bundle from configured service.
discovery.servicestringNoName of the service to use to contact remote server. If omitted, the configuration must contain exactly one service. Discovery will default to this service.
discovery.decisionstringNoThe path of the decision to evaluate in the discovery bundle. By default, OPA will evaluate data in the discovery bundle to produce the configuration.
discovery.polling.min_delay_secondsint64No (default: 60)Minimum amount of time to wait between configuration downloads.
discovery.polling.max_delay_secondsint64No (default: 120)Maximum amount of time to wait between configuration downloads.
discovery.signing.keyidstringNoName of the key to use for bundle signature verification.
discovery.signing.scopestringNoScope to use for bundle signature verification.
discovery.signing.exclude_filesarrayNoFiles in the bundle to exclude during verification.

The following discovery configuration fields are supported but deprecated: