Configuration Reference

This page defines the format of OPA configuration files. Fields marked as required must be specified if the parent is defined. For example, when the configuration contains a status key, the status.service field must be defined.

The configuration file path is specified with the -c or --config-file command line argument:

  1. opa run -s -c config.yaml

The file can be either JSON or YAML format.

Example

  1. services:
  2.   acmecorp:
  3.     url: https://example.com/control-plane-api/v1
  4.     credentials:
  5.       bearer:
  6.         token: "bGFza2RqZmxha3NkamZsa2Fqc2Rsa2ZqYWtsc2RqZmtramRmYWxkc2tm"
  8. labels:
  9.   app: myapp
  10.   region: west
  11.   environment: production
  13. bundle:
  14.   name: http/example/authz
  15.   service: acmecorp
  16.   prefix: bundles
  17.   polling:
  18.     min_delay_seconds: 60
  19.     max_delay_seconds: 120
  21. decision_logs:
  22.   service: acmecorp
  23.   reporting:
  24.     min_delay_seconds: 300
  25.     max_delay_seconds: 600
  27. status:
  28.   service: acmecorp
  30. default_decision: /http/example/authz/allow

Environment Variable Substitution

Only supported with the OPA runtime (opa run).

Environment variables referenced with the ${...} notation within the configuration will be replaced with the value of the environment variable.

Example using BASE_URL and BEARER_TOKEN environment variables:

  1. services:
  2.   acmecorp:
  3.     url: ${BASE_URL}
  4.     credentials:
  5.       bearer:
  6.         token: "${BEARER_TOKEN}"
  8. discovery:
  9.   name: /example/discovery
  10.   prefix: configuration

The environment variables BASE_URL and BEARER_TOKEN will be substituted in when the config file is loaded by the OPA runtime.

If the variable is undefined then an empty string ("") is substituted. It will not raise an error.

CLI Runtime Overrides

Only supported with the OPA runtime (opa run).

Using opa run there are CLI options to explicitly set config values. These will override any values set in the config file.

There are two options to use: --set and --set-file

Both options take in a key=value format where the key is a selector for the yaml config structure, for example: decision_logs.reporting.min_delay_seconds=300 is equivalent to JSON {"decision_logs: {"reporting": {"min_delay_seconds: 300}}}. Multiple values can be specified with comma separators (key1=value,key2=value2,..). Or with additional --set parameters.

Example using several different options:

  1. opa run \
  2.   --set "default_decision=/http/example/authz/allow" \
  3.   --set "services.acmecorp.url=https://test-env/control-plane-api/v1" \
  4.   --set "services.acmecorp.credentials.bearer.token=\${TOKEN}"
  5.   --set "labels.app=myapp,labels.region=west"

This is equivalent to a YAML config file that looks like:

  1. services:
  2.   acmecorp:
  3.     url: https://test-env/control-plane-api/v1
  4.     credentials:
  5.       bearer:
  6.         token: ${TOKEN}
  8. labels:
  9.   app: myapp
  10.   region: west
  12. default_decision: /http/example/authz/allow

The --set-file option is expecting a file path for the value. This allows keeping secrets in files and loading them into the config at run time. For Example:

With a file /var/run/secrets/bearer_token.txt that has contents:

  1. bGFza2RqZmxha3NkamZsa2Fqc2Rsa2ZqYWtsc2RqZmtramRmYWxkc2tm

Then using the --set-file flag for OPA

  1. opa run --set-file "services.acmecorp.credentials.bearer.token=/var/run/secrets/bearer_token.txt"

It will read the contents of the file and set the config value with the token.

Override Limitations

If using arrays/lists in the configuration the --set and --set-file overrides will not be able to patch sub-objects of the list. They will overwrite the entire index with the new object.

For example, a config.yaml file with contents:

  1. services:
  2.   - name: acmecorp
  3.     url: https://test-env/control-plane-api/v1
  4.     credentials:
  5.       bearer:
  6.         token: ""

Used with overrides:

  1. opa run \
  2.   --config-file config.yaml
  3.   --set-file "services[0].credentials.bearer.token=/var/run/secrets/bearer_token.txt"

Will result in configuration like:

  1. services:
  2.   - credentials:
  3.       bearer:
  4.         token: bGFza2RqZmxha3NkamZsa2Fqc2Rsa2ZqYWtsc2RqZmtramRmYWxkc2tm

Because the entire 0 index was overwritten.

It is highly recommended to use objects/maps instead of lists for configuration for this reason.

Services

Services represent endpoints that implement one or more control plane APIs such as the Bundle or Status APIs. OPA configuration files may contain multiple services.

FieldTypeRequiredDescription
services[].namestringYesUnique name for the service. Referred to by plugins.
services[].urlstringYesBase URL to contact the service with.
services[].headersobjectNoHTTP headers to include in requests to the service.
services[].allowinsecure_tlsboolNoAllow insecure TLS.
services[].credentials.bearer.tokenstringNoEnables token-based authentication and supplies the bearer token to authenticate with.
services[].credentials.bearer.schemestringNoBearer token scheme to specify.
services[].credentials.clienttls.certstringNoThe path to the client certificate to authenticate with.
services[].credentials.clienttls.private_keystringNoThe path to the private key of the client certificate.
services[].credentials.client_tls.private_key_passphrasestringNoThe passphrase to use for the private key.

Services can be defined as an array or object. When defined as an object, the object keys override the services[_].name fields. For example:

  1. services:
  2.   s1:
  3.     url: https://s1/example/
  4.   s2:
  5.     url: https://s2/

Is equivalent to

  1. services:
  2.   - name: s1
  3.     url: https://s1/example/
  4.   - name: s2
  5.     url: https://s2/

Miscellaenous

FieldTypeRequiredDescription
labelsobjectYesSet of key-value pairs that uniquely identify the OPA instance. Labels are included when OPA uploads decision logs and status information.
default_decisionstringNo (default: /system/main)Set path of default policy decision used to serve queries against OPA’s base URL.
default_authorization_decisionstringNo (default: /system/authz/allow)Set path of default authorization decision for OPA’s API.
pluginsobjectNo (default: {})Location for custom plugin configuration. See Plugins for details.

Bundles

FieldTypeRequiredDescription
bundle.namestringYesName of the bundle to download.
bundle.prefixstringNo (default: bundles)Path prefix to use to download bundle from remote server.
bundle.servicestringYesName of service to use to contact remote server.
bundle.polling.min_delay_secondsint64No (default: 60)Minimum amount of time to wait between bundle downloads.
bundle.polling.max_delay_secondsint64No (default: 120)Maximum amount of time to wait between bundle downloads.

Status

FieldTypeRequiredDescription
status.servicestringYesName of service to use to contact remote server.
status.partition_namestringNoPath segment to include in status updates.

Decision Logs

FieldTypeRequiredDescription
decision_logs.servicestringYesName of the service to use to contact remote server.
decision_logs.partition_namestringNoPath segment to include in status updates.
decision_logs.reporting.buffer_size_limit_bytesint64NoDecision log buffer size limit in bytes. OPA will drop old events from the log if this limit is exceeded. By default, no limit is set.
decision_logs.reporting.upload_size_limit_bytesint64No (default: 32768)Decision log upload size limit in bytes. OPA will chunk uploads to cap message body to this limit.
decision_logs.reporting.min_delay_secondsint64No (default: 300)Minimum amount of time to wait between uploads.
decision_logs.reporting.max_delay_secondsint64No (default: 600)Maximum amount of time to wait between uploads.
decision_logs.pluginstringNoUse the named plugin for decision logging. If this field exists, the other configuration fields are not required.

Discovery

FieldTypeRequiredDescription
discovery.namestringYesName of the discovery configuration to download.
discovery.prefixstringNo (default: bundles)Path prefix to use to download configuration from remote server.
discovery.polling.min_delay_secondsint64No (default: 60)Minimum amount of time to wait between configuration downloads.
discovery.polling.max_delay_secondsint64No (default: 120)Maximum amount of time to wait between configuration downloads.