Skip to main content

OPAL Configuration Variables

Provided on this page is a full list of all the OPAL configuration variabls for the OPAL Client and the OPAL Server. Please use this table as a reference.

Common OPAL Configuration Variables

VariablesDescriptionExample
ALLOWED_ORIGINS
PROCESS_NAMEThe process name to be shown in logs.
LOG_FORMAT_INCLUDE_PID
LOG_FORMAT
LOG_TRACEBACK
LOG_SERIALIZESerialize log messages into json format (useful for log aggregation platforms)
LOG_SHOW_CODE_LINE
LOG_LEVEL
LOG_MODULE_EXCLUDE_LIST
LOG_MODULE_INCLUDE_LIST
LOG_PATCH_UVICORN_LOGSTakeover UVICORN's logs so they appear in the main logger.
LOG_TO_FILE
LOG_FILE_PATHPath to define where to save the log file.
LOG_FILE_ROTATION
LOG_FILE_RETENTION
LOG_FILE_COMPRESSION
LOG_FILE_SERIALIZESerialize log messages in file into json format (useful for log aggregation platforms)
LOG_FILE_LEVEL
LOG_DIAGNOSEInclude diagnosis in log messages
STATISTICS_ENABLEDCollect statistics about OPAL clients.
STATISTICS_ADD_CLIENT_CHANNELThe topic to update about the new OPAL clients connection.
STATISTICS_REMOVE_CLIENT_CHANNELThe topic to update about the OPAL clients disconnection.
FETCH_PROVIDER_MODULES
FETCHING_WORKER_COUNT
FETCHING_CALLBACK_TIMEOUT
FETCHING_ENQUEUE_TIMEOUT
GIT_SSH_KEY_FILE
CLIENT_SELF_SIGNED_CERTIFICATES_ALLOWEDWhether or not OPAL Client will trust HTTPs connections protected by self signed certificates. Not to be used in Production.
CLIENT_SSL_CONTEXT_TRUSTED_CA_FILEA path to your own CA public certificate file (usually a .crt or a .pem file). Certificates signed by this issuer will be trusted by OPAL Client. Not to be used in Production.
AUTH_PUBLIC_KEY_FORMAT
AUTH_PUBLIC_KEY
AUTH_JWT_ALGORITHMJWT algorithm. See possible values here.
AUTH_JWT_AUDIENCE
AUTH_JWT_ISSUER
ENABLE_OPENTELEMETRY_TRACINGSet if OPAL should enable tracing with OpenTelemetry
ENABLE_OPENTELEMETRY_METRICSSet if OPAL should enable metrics with OpenTelemetry
ENABLE_OPENTELEMETRY_TRACINGThe OpenTelemetry OTLP endpoint to send traces to, set only if ENABLE_OPENTELEMETRY_TRACING is enabled

OPAL Server Configuration Variables

VariablesDescriptionExample
AUTH_JWT_ISSUER
AUTH_JWT_ISSUER
CLIENT_LOAD_LIMIT_NOTATIONIf supplied, rate limit would be enforced on the servers websocket endpoint. Format is limits-style notation (e.g. 10 per second). Learn more.
BROADCAST_URI
BROADCAST_CHANNEL_NAME
BROADCAST_CONN_LOSS_BUGFIX_EXPERIMENT_ENABLED
AUTH_PRIVATE_KEY_FORMAT
AUTH_PRIVATE_KEY_PASSPHRASE
AUTH_PRIVATE_KEY
AUTH_JWKS_URL
AUTH_JWKS_STATIC_DIR
AUTH_MASTER_TOKEN
POLICY_SOURCE_TYPESet your policy source, this can be GIT / API.
POLICY_REPO_URLSet your remote repo URL - this is relevant only to GIT source type E.g. view example.
POLICY_BUNDLE_URLSet your API bundle URL, this is relevant only to API source type.
POLICY_REPO_CLONE_PATHBase path to create local git folder inside this path, that manages policy change.
POLICY_REPO_CLONE_FOLDER_PREFIXPrefix for the local git folder.
POLICY_REPO_REUSE_CLONE_PATHSet if OPAL server should use a fixed clone path (and reuse if it already exists) instead of randomizing its suffix on each run.
POLICY_REPO_MAIN_BRANCH
POLICY_REPO_SSH_KEY
POLICY_REPO_MANIFEST_PATHPath of the directory holding the '.manifest' file (updated way), or of the manifest file itself (old way). Repo's root is used by default.
POLICY_REPO_CLONE_TIMEOUTIf set to 0, waits forever until successful clone.
LEADER_LOCK_FILE_PATH
POLICY_BUNDLE_SERVER_TYPEHTTP (authenticated with bearer token, or nothing), AWS-S3(Authenticated with AWS REST AuthAWS-S3
POLICY_BUNDLE_SERVER_TOKEN_IDThe Secret Token Id (AKA user id, AKA access-key) sent to the API bundle server.AKIAIOSFODNN7EXAMPLE
POLICY_BUNDLE_SERVER_TOKENThe Secret Token (AKA password, AKA secret-key) sent to the API bundle server.wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
POLICY_BUNDLE_TMP_PATHPath for temp policy file. It needs to be writable.
POLICY_BUNDLE_GIT_ADD_PATTERNFile pattern to add files to all the git default files.
REPO_WATCHER_ENABLED
PUBLISHER_ENABLED
BROADCAST_KEEPALIVE_INTERVALThe time to wait between sending two consecutive broadcaster keepalive messages.
BROADCAST_KEEPALIVE_TOPICThe topic on which we should send broadcaster keepalive messages.
MAX_CHANNELS_PER_CLIENTMax number of records per client, after this number it will not be added to statistics, relevant only if STATISTICS_ENABLED.
STATISTICS_WAKEUP_CHANNELThe topic a waking-up OPAL server uses to notify others he needs their statistics data.
STATISTICS_STATE_SYNC_CHANNELThe topic other servers with statistics provide their state to a waking-up server.
ALL_DATA_TOPICTop level topic for data.
ALL_DATA_ROUTE
ALL_DATA_URLURL for all data config [If you choose to have it all at one place].
DATA_CONFIG_ROUTEURL to fetch the full basic configuration of data.
DATA_CALLBACK_DEFAULT_ROUTEExists as a sane default in case the user did not set OPAL_DEFAULT_UPDATE_CALLBACKS.
DATA_CONFIG_SOURCESConfiguration of data sources by topics.
DATA_UPDATE_TRIGGER_ROUTEURL to trigger data update events.
POLICY_REPO_WEBHOOK_SECRET
POLICY_REPO_WEBHOOK_TOPIC
POLICY_REPO_WEBHOOK_ENFORCE_BRANCH
POLICY_REPO_WEBHOOK_PARAMS
POLICY_REPO_POLLING_INTERVAL
ALLOWED_ORIGINS
FILTER_FILE_EXTENSIONS
NO_RPC_LOGS
SERVER_WORKER_COUNT(If run using the CLI) - Worker count for the server [Default calculated to CPU-cores].
SERVER_HOST(If run using the CLI) - Address for the server to bind.
SERVER_BIND_PORT(If run using the CLI) - Port for the server to bind. (replaces deprecated SERVER_PORT)
ENABLE_DATADOG_APMSet if OPAL server should enable tracing with datadog APM.
SCOPES
REDIS_URL
BASE_DIR
POLICY_REFRESH_INTERVAL
OPAL_WS_ROUTE
SERVER_WS_URL
SERVER_PUBSUB_URL
CLIENT_TOKENThe OPAL Server Auth Token.
CLIENT_API_SERVER_WORKER_COUNT(If run using the CLI) - Worker count for the opal-client's internal server.
CLIENT_API_SERVER_HOST(If run using the CLI) - Address for the opal-client's internal server to bind.
CLIENT_API_SERVER_PORT(If run using the CLI) - Port for the opal-client's internal server to bind.
WAIT_ON_SERVER_LOADIf set, client would wait for 200 from server's loadlimit endpoint before starting background tasks.
OPAL_POLICY_REPO_URLThe repo url the policy repo is located at. Must be available from the machine running OPAL (opt for public internet addresses). Supported URI schemes: https:// and ssh (i.e: git@).
OPAL_POLICY_REPO_SSH_KEYThe content of the var is a private crypto key (i.e: SSH key). You will need to register the matching public key with your repo. For example, see the GitHub tutorial on the subject. The passed value must be the contents of the SSH key in one line (replace new-line with underscore, i.e: \n with _).
OPAL_POLICY_REPO_CLONE_PATHWhere (i.e: base target path) to clone the repo in your docker filesystem (not important unless you mount a docker volume).
OPAL_POLICY_REPO_MAIN_BRANCHName of the git branch to track for policy files (default: master).
OPAL_BUNDLE_IGNOREPaths to omit from policy bundle. List of glob style paths, or paths without wildcards but ending with "/**" indicating a parent path (ignoring all under it).bundle_ignore: Optional[List[str]]

OPAL Client Configuration Variables

VariablesDescriptionExample
POLICY_STORE_TYPE
POLICY_STORE_AUTH_TYPEThe authentication method for connecting to the policy store. Possible values are oauth or token
POLICY_STORE_AUTH_TOKENThe authentication (bearer) token OPAL client will use to authenticate against the policy store (i.e: OPA agent).
POLICY_STORE_AUTH_OAUTH_SERVERThe authentication server OPAL client will use to authenticate against for retrieving the access_token.
POLICY_STORE_AUTH_OAUTH_CLIENT_IDThe client id OPAL will use to authenticate against the OAuth server.
POLICY_STORE_AUTH_OAUTH_CLIENT_SECRETThe client secret OPAL will use to authenticate against the OAuth server.
POLICY_STORE_CONN_RETRYRetry options when connecting to the policy store (i.e. the agent that handles the policy, e.g. OPA).
POLICY_STORE_POLICY_PATHS_TO_IGNOREWhich policy paths pushed to the client should be ignored. List of glob style paths, or paths without wildcards but ending with "/**" indicating a parent path (ignoring all under it). It does support paths starting with '!' to force to not ignore them: a negated path would always take precedence, so if, e.g., both !myFolder/** and myFolder/subFolder/** are defined then myFolder/subFolder/** will not be ignored.
INLINE_OPA_ENABLEDWhether or not OPAL should run OPA by itself in the same container.
INLINE_OPA_EXEC_PATHThe path to the OPA executable.
INLINE_OPA_CONFIGIf inline OPA is indeed enabled, the user can set the server configuration options that affects how OPA will start when running opa run --server inline. Watch escaping quotes.{"config_file":"/mnt/opa/config"}
INLINE_OPA_LOG_FORMAT
INLINE_CEDAR_ENABLEDWhether or not OPAL should run Cedar agent by itself in the same container.
INLINE_CEDAR_EXEC_PATHThe path to the Cedar agent executable.
INLINE_CEDAR_CONFIGIf inline Cedar is indeed enabled, provide options for running the Cedar agent
INLINE_CEDAR_LOG_FORMAT
KEEP_ALIVE_INTERVAL
OFFLINE_MODE_ENABLEDIf set, opal client will try to load policy store from backup file and operate even if server is unreachable. Ignored if INLINE_OPA_ENABLED=False
STORE_BACKUP_PATHPath to backup policy store's data to
STORE_BACKUP_INTERVALInterval in seconds to backup policy store's data
POLICY_UPDATER_ENABLEDIf set to FALSE, OPAL Client will not fetch policies or listen to policy updates.

Policy Updater Configuration Variables

VariablesDescriptionExample
POLICY_SUBSCRIPTION_DIRSThe directories in a policy repo we should subscribe to for policy code (rego) modules.
POLICY_UPDATER_CONN_RETRYRetry options when connecting to the policy source (e.g. the policy bundle server

Data Updater Configuration Variables

VariablesDescriptionExample
DATA_UPDATER_ENABLEDIf set to FALSE, OPAL Client will not listen to dynamic data updates.
DATA_TOPICSData topics to subscribe to.
DEFAULT_DATA_SOURCES_CONFIG_URLDefault URL to fetch data configuration from.
DEFAULT_DATA_URLDefault URL to fetch data from.
SHOULD_REPORT_ON_DATA_UPDATESShould the client report on updates to callbacks defined in DEFAULT_UPDATE_CALLBACKS or within the given updates.
DEFAULT_UPDATE_CALLBACK_CONFIG
DEFAULT_UPDATE_CALLBACKSWhere/How the client should report on the completion of data updates.
DATA_UPDATER_CONN_RETRYRetry options when connecting to the base data source (e.g. an external API server which returns data snapshot).
DATA_STORE_CONN_RETRYDEPTRECATED - The old confusing name for DATA_UPDATER_CONN_RETRY, kept for backwards compatibilit (for now)

OPA Transaction Log / Healthcheck Configuration Variables

VariablesDescriptionExample
OPA_HEALTH_CHECK_POLICY_ENABLEDShould we load a special healthcheck policy into OPA that checks that opa was synced correctly and is ready to answer to authorization queries.
OPA_HEALTH_CHECK_TRANSACTION_LOG_PATHPath to OPA document that stores the OPA write transactions.
OPAL_CLIENT_STAT_IDUnique client statistics identifier.
OPA_HEALTH_CHECK_POLICY_PATH
SCOPE_ID