Skip to main content

OPAL Configuration Variables

Provided on this page is a full list of all the OPAL configuration variabls for the OPAL Client and the OPAL Server. Please use this table as a reference.

Common OPAL Configuration Variables

VariablesDescriptionExample
ALLOWED_ORIGINS
PROCESS_NAMEThe process name to be shown in logs.
LOG_FORMAT_INCLUDE_PID
LOG_FORMAT
LOG_TRACEBACK
LOG_SERIALIZESerialize log messages into json format (useful for log aggregation platforms)
LOG_SHOW_CODE_LINE
LOG_LEVEL
LOG_MODULE_EXCLUDE_LIST
LOG_MODULE_INCLUDE_LIST
LOG_PATCH_UVICORN_LOGSTakeover UVICORN's logs so they appear in the main logger.
LOG_TO_FILE
LOG_FILE_PATHPath to define where to save the log file.
LOG_FILE_ROTATION
LOG_FILE_RETENTION
LOG_FILE_COMPRESSION
LOG_FILE_SERIALIZESerialize log messages in file into json format (useful for log aggregation platforms)
LOG_FILE_LEVEL
STATISTICS_ENABLEDCollect statistics about OPAL clients.
STATISTICS_ADD_CLIENT_CHANNELThe topic to update about the new OPAL clients connection.
STATISTICS_REMOVE_CLIENT_CHANNELThe topic to update about the OPAL clients disconnection.
FETCH_PROVIDER_MODULES
FETCHING_WORKER_COUNT
FETCHING_CALLBACK_TIMEOUT
FETCHING_ENQUEUE_TIMEOUT
GIT_SSH_KEY_FILE
CLIENT_SELF_SIGNED_CERTIFICATES_ALLOWEDWhether or not OPAL Client will trust HTTPs connections protected by self signed certificates. Not to be used in Production.
CLIENT_SSL_CONTEXT_TRUSTED_CA_FILEA path to your own CA public certificate file (usually a .crt or a .pem file). Certificates signed by this issuer will be trusted by OPAL Client. Not to be used in Production.
AUTH_PUBLIC_KEY_FORMAT
AUTH_PUBLIC_KEY
AUTH_JWT_ALGORITHMJWT algorithm. See possible values here.
AUTH_JWT_AUDIENCE
AUTH_JWT_ISSUER

OPAL Server Configuration Variables

VariablesDescriptionExample
AUTH_JWT_ISSUER
AUTH_JWT_ISSUER
CLIENT_LOAD_LIMIT_NOTATIONIf supplied, rate limit would be enforced on the servers websocket endpoint. Format is limits-style notation (e.g. 10 per second). Learn more.
BROADCAST_URI
BROADCAST_CHANNEL_NAME
BROADCAST_CONN_LOSS_BUGFIX_EXPERIMENT_ENABLED
AUTH_PRIVATE_KEY_FORMAT
AUTH_PRIVATE_KEY_PASSPHRASE
AUTH_PRIVATE_KEY
AUTH_JWKS_URL
AUTH_JWKS_STATIC_DIR
AUTH_MASTER_TOKEN
POLICY_SOURCE_TYPESet your policy source, this can be GIT / API.
POLICY_REPO_URLSet your remote repo URL - this is relevant only to GIT source type E.g. view example.
POLICY_BUNDLE_URLSet your API bundle URL, this is relevant only to API source type.
POLICY_REPO_CLONE_PATHBase path to create local git folder inside this path, that manages policy change.
POLICY_REPO_CLONE_FOLDER_PREFIXPrefix for the local git folder.
POLICY_REPO_REUSE_CLONE_PATHSet if OPAL server should use a fixed clone path (and reuse if it already exists) instead of randomizing its suffix on each run.
POLICY_REPO_MAIN_BRANCH
POLICY_REPO_SSH_KEY
POLICY_REPO_MANIFEST_PATHPath of the directory holding the '.manifest' file (updated way), or of the manifest file itself (old way). Repo's root is used by default.
POLICY_REPO_CLONE_TIMEOUTIf set to 0, waits forever until successful clone.
LEADER_LOCK_FILE_PATH
POLICY_BUNDLE_SERVER_TYPEHTTP (authenticated with bearer token, or nothing), AWS-S3(Authenticated with AWS REST AuthAWS-S3
POLICY_BUNDLE_SERVER_TOKEN_IDThe Secret Token Id (AKA user id, AKA access-key) sent to the API bundle server.AKIAIOSFODNN7EXAMPLE
POLICY_BUNDLE_SERVER_TOKENThe Secret Token (AKA password, AKA secret-key) sent to the API bundle server.wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
POLICY_BUNDLE_TMP_PATHPath for temp policy file. It needs to be writable.
POLICY_BUNDLE_GIT_ADD_PATTERNFile pattern to add files to all the git default files.
REPO_WATCHER_ENABLED
PUBLISHER_ENABLED
BROADCAST_KEEPALIVE_INTERVALThe time to wait between sending two consecutive broadcaster keepalive messages.
BROADCAST_KEEPALIVE_TOPICThe topic on which we should send broadcaster keepalive messages.
MAX_CHANNELS_PER_CLIENTMax number of records per client, after this number it will not be added to statistics, relevant only if STATISTICS_ENABLED.
STATISTICS_WAKEUP_CHANNELThe topic a waking-up OPAL server uses to notify others he needs their statistics data.
STATISTICS_STATE_SYNC_CHANNELThe topic other servers with statistics provide their state to a waking-up server.
ALL_DATA_TOPICTop level topic for data.
ALL_DATA_ROUTE
ALL_DATA_URLURL for all data config [If you choose to have it all at one place].
DATA_CONFIG_ROUTEURL to fetch the full basic configuration of data.
DATA_CALLBACK_DEFAULT_ROUTEExists as a sane default in case the user did not set OPAL_DEFAULT_UPDATE_CALLBACKS.
DATA_CONFIG_SOURCESConfiguration of data sources by topics.
DATA_UPDATE_TRIGGER_ROUTEURL to trigger data update events.
POLICY_REPO_WEBHOOK_SECRET
POLICY_REPO_WEBHOOK_TOPIC
POLICY_REPO_WEBHOOK_ENFORCE_BRANCH
POLICY_REPO_WEBHOOK_PARAMS
POLICY_REPO_POLLING_INTERVAL
ALLOWED_ORIGINS
FILTER_FILE_EXTENSIONS
NO_RPC_LOGS
SERVER_WORKER_COUNT(If run using the CLI) - Worker count for the server [Default calculated to CPU-cores].
SERVER_HOST(If run using the CLI) - Address for the server to bind.
SERVER_BIND_PORT(If run using the CLI) - Port for the server to bind. (replaces deprecated SERVER_PORT)
ENABLE_DATADOG_APMSet if OPAL server should enable tracing with datadog APM.
SCOPES
REDIS_URL
BASE_DIR
POLICY_REFRESH_INTERVAL
OPAL_WS_ROUTE
SERVER_WS_URL
SERVER_PUBSUB_URL
CLIENT_TOKENThe OPAL Server Auth Token.
CLIENT_API_SERVER_WORKER_COUNT(If run using the CLI) - Worker count for the opal-client's internal server.
CLIENT_API_SERVER_HOST(If run using the CLI) - Address for the opal-client's internal server to bind.
CLIENT_API_SERVER_PORT(If run using the CLI) - Port for the opal-client's internal server to bind.
WAIT_ON_SERVER_LOADIf set, client would wait for 200 from server's loadlimit endpoint before starting background tasks.
OPAL_POLICY_REPO_URLThe repo url the policy repo is located at. Must be available from the machine running OPAL (opt for public internet addresses). Supported URI schemes: https:// and ssh{" "} (i.e: git@).
OPAL_POLICY_REPO_SSH_KEYThe content of the var is a private crypto key (i.e: SSH key). You will need to register the matching public key with your repo. For example, see the{" "} GitHub tutorial {" "} on the subject. The passed value must be the contents of the SSH key in one line (replace new-line with underscore, i.e: \n with{" "} _).
OPAL_POLICY_REPO_CLONE_PATHWhere (i.e: base target path) to clone the repo in your docker filesystem (not important unless you mount a docker volume).
OPAL_POLICY_REPO_MAIN_BRANCHName of the git branch to track for policy files (default: master).
OPAL_BUNDLE_IGNOREPaths to omit from policy bundle. List of glob style paths, or paths without wildcards but ending with "/**" indicating a parent path (ignoring all under it).bundle_ignore: Optional[List[str]]

OPAL Client Configuration Variables

VariablesDescriptionExample
POLICY_STORE_TYPE
POLICY_STORE_AUTH_TYPEThe authentication method for connecting to the policy store. Possible values are oauth or token
POLICY_STORE_AUTH_TOKENThe authentication (bearer) token OPAL client will use to authenticate against the policy store (i.e: OPA agent).
POLICY_STORE_AUTH_OAUTH_SERVERThe authentication server OPAL client will use to authenticate against for retrieving the access_token.
POLICY_STORE_AUTH_OAUTH_CLIENT_IDThe client id OPAL will use to authenticate against the OAuth server.
POLICY_STORE_AUTH_OAUTH_CLIENT_SECRETThe client secret OPAL will use to authenticate against the OAuth server.
POLICY_STORE_CONN_RETRYRetry options when connecting to the policy store (i.e. the agent that handles the policy, e.g. OPA).
POLICY_STORE_POLICY_PATHS_TO_IGNOREWhich policy paths pushed to the client should be ignored. List of glob style paths, or paths without wildcards but ending with "/**" indicating a parent path (ignoring all under it).
INLINE_OPA_ENABLEDWhether or not OPAL should run OPA by itself in the same container.
INLINE_OPA_CONFIGIf inline OPA is indeed enabled, the user can set the server configuration options that affects how OPA will start when running opa run --server inline. Watch escaping quotes.{"config_file":"/mnt/opa/config"}
INLINE_OPA_LOG_FORMAT
KEEP_ALIVE_INTERVAL
OFFLINE_MODE_ENABLEDIf set, opal client will try to load policy store from backup file and operate even if server is unreachable. Ignored if INLINE_OPA_ENABLED=False
STORE_BACKUP_PATHPath to backup policy store's data to
STORE_BACKUP_INTERVALInterval in seconds to backup policy store's data
POLICY_UPDATER_ENABLEDIf set to FALSE, OPAL Client will not fetch policies or listen to policy updates.

Policy Updater Configuration Variables

VariablesDescriptionExample
POLICY_SUBSCRIPTION_DIRSThe directories in a policy repo we should subscribe to for policy code (rego) modules.
POLICY_UPDATER_CONN_RETRYRetry options when connecting to the policy source (e.g. the policy bundle server

Data Updater Configuration Variables

VariablesDescriptionExample
DATA_UPDATER_ENABLEDIf set to FALSE, OPAL Client will not listen to dynamic data updates.
DATA_TOPICSData topics to subscribe to.
DEFAULT_DATA_SOURCES_CONFIG_URLDefault URL to fetch data configuration from.
DEFAULT_DATA_URLDefault URL to fetch data from.
SHOULD_REPORT_ON_DATA_UPDATESShould the client report on updates to callbacks defined in DEFAULT_UPDATE_CALLBACKS or within the given updates.
DEFAULT_UPDATE_CALLBACK_CONFIG
DEFAULT_UPDATE_CALLBACKSWhere/How the client should report on the completion of data updates.
DATA_UPDATER_CONN_RETRYRetry options when connecting to the base data source (e.g. an external API server which returns data snapshot).
DATA_STORE_CONN_RETRYDEPTRECATED - The old confusing name for DATA_UPDATER_CONN_RETRY, kept for backwards compatibilit (for now)

OPA Transaction Log / Healthcheck Configuration Variables

VariablesDescriptionExample
OPA_HEALTH_CHECK_POLICY_ENABLEDShould we load a special healthcheck policy into OPA that checks that opa was synced correctly and is ready to answer to authorization queries.
OPA_HEALTH_CHECK_TRANSACTION_LOG_PATHPath to OPA document that stores the OPA write transactions.
OPAL_CLIENT_STAT_IDUnique client statistics identifier.
OPA_HEALTH_CHECK_POLICY_PATH
SCOPE_ID