v0.12.0 latest v0.11.0 v0.10.7 edge
Documentation Introduction How Does OPA Work? How Do I Write Policies? How Do I Test Policies? Language Reference Configuration Reference
REST API Deployments Bundles Status Decision Logs Monitoring Discovery Security Plugins Comparison to Other Systems FAQ Rego Cheatsheet
Tutorials Get started Docker Authorization HTTP API Authorization SSH and sudo Authorization Kafka Authorization Kubernetes Admission Control Terraform Testing Ceph Authorization
Guides Identity and User Attributes Kubernetes Admission Control
Support Enterprise and Commercial

Configuration Reference

This page defines the format of OPA configuration files. Fields marked as required must be specified if the parent is defined. For example, when the configuration contains a status key, the status.service field must be defined.

The configuration file path is specified with the -c or --config-file command line argument:

opa run -s -c config.yaml

Example

services:
  - name: acmecorp
    url: https://example.com/control-plane-api/v1
    credentials:
      bearer:
        token: "bGFza2RqZmxha3NkamZsa2Fqc2Rsa2ZqYWtsc2RqZmtramRmYWxkc2tm"

labels:
  app: myapp
  region: west
  environment: production

bundle:
  name: http/example/authz
  service: acmecorp
  prefix: bundles
  polling:
    min_delay_seconds: 60
    max_delay_seconds: 120

decision_logs:
  service: acmecorp
  reporting:
    min_delay_seconds: 300
    max_delay_seconds: 600

status:
  service: acmecorp

default_decision: /http/example/authz/allow

Services

Services represent endpoints that implement one or more control plane APIs such as the Bundle or Status APIs. OPA configuration files may contain multiple services.

FieldTypeRequiredDescription
services[_].namestringYesUnique name for the service. Referred to by plugins.
services[_].urlstringYesBase URL to contact the service with.
services[_].headersobjectNoHTTP headers to include in requests to the service.
services[_].allow_insecure_tlsboolNoAllow insecure TLS.
services[_].credentials.bearer.tokenstringNoEnables token-based authentication and supplies the bearer token to authenticate with.
services[_].credentials.bearer.schemestringNoBearer token scheme to specify.
services[_].credentials.client_tls.certstringNoThe path to the client certificate to authenticate with.
services[_].credentials.client_tls.private_keystringNoThe path to the private key of the client certificate.
services[_].credentials.client_tls.private_key_passphrasestringNoThe passphrase to use for the private key.

Services can be defined as an array or object. When defined as an object, the object keys override the services[_].name fields.

Miscellaenous

FieldTypeRequiredDescription
labelsobjectYesSet of key-value pairs that uniquely identify the OPA instance. Labels are included when OPA uploads decision logs and status information.
default_decisionstringNo (default: /system/main)Set path of default policy decision used to serve queries against OPA’s base URL.
default_authorization_decisionstringNo (default: /system/authz/allow)Set path of default authorization decision for OPA’s API.
pluginsobjectNo (default: {})Location for custom plugin configuration. See Plugins for details.

Bundles

FieldTypeRequiredDescription
bundle.namestringYesName of the bundle to download.
bundle.prefixstringNo (default: bundles)Path prefix to use to download bundle from remote server.
bundle.servicestringYesName of service to use to contact remote server.
bundle.polling.min_delay_secondsint64No (default: 60)Minimum amount of time to wait between bundle downloads.
bundle.polling.max_delay_secondsint64No (default: 120)Maximum amount of time to wait between bundle downloads.

Status

FieldTypeRequiredDescription
status.servicestringYesName of service to use to contact remote server.
status.partition_namestringNoPath segment to include in status updates.

Decision Logs

FieldTypeRequiredDescription
decision_logs.servicestringYesName of the service to use to contact remote server.
decision_logs.partition_namestringNoPath segment to include in status updates.
decision_logs.reporting.buffer_size_limit_bytesint64NoDecision log buffer size limit in bytes. OPA will drop old events from the log if this limit is exceeded. By default, no limit is set.
decision_logs.reporting.upload_size_limit_bytesint64No (default: 32768)Decision log upload size limit in bytes. OPA will chunk uploads to cap message body to this limit.
decision_logs.reporting.min_delay_secondsint64No (default: 300)Minimum amount of time to wait between uploads.
decision_logs.reporting.max_delay_secondsint64No (default: 600)Maximum amount of time to wait between uploads.
decision_logs.pluginstringNoUse the named plugin for decision logging. If this field exists, the other configuration fields are not required.

Discovery

FieldTypeRequiredDescription
discovery.namestringYesName of the discovery configuration to download.
discovery.prefixstringNo (default: bundles)Path prefix to use to download configuration from remote server.
discovery.polling.min_delay_secondsint64No (default: 60)Minimum amount of time to wait between configuration downloads.
discovery.polling.max_delay_secondsint64No (default: 120)Maximum amount of time to wait between configuration downloads.