OPAL Configuration Variables

Provided on this page is a full list of all the OPAL configuration variabls for the OPAL Client and the OPAL Server. Please use this table as a reference.

Common OPAL Configuration Variables

Variables	Description	Example
ALLOWED_ORIGINS
PROCESS_NAME	The process name to be shown in logs.
LOG_FORMAT_INCLUDE_PID
LOG_FORMAT
LOG_TRACEBACK
LOG_SHOW_CODE_LINE
LOG_LEVEL
LOG_MODULE_EXCLUDE_LIST
LOG_MODULE_INCLUDE_LIST
LOG_PATCH_UVICORN_LOGS	Takeover UVICORN's logs so they appear in the main logger.
LOG_TO_FILE
LOG_FILE_PATH	Path to define where to save the log file.
LOG_FILE_ROTATION
LOG_FILE_RETENTION
LOG_FILE_COMPRESSION
LOG_FILE_SERIALIZE
LOG_FILE_LEVEL
STATISTICS_ENABLED	Collect statistics about OPAL clients.
STATISTICS_ADD_CLIENT_CHANNEL	The topic to update about the new OPAL clients connection.
STATISTICS_REMOVE_CLIENT_CHANNEL	The topic to update about the OPAL clients disconnection.
FETCH_PROVIDER_MODULES
FETCHING_WORKER_COUNT
FETCHING_CALLBACK_TIMEOUT
FETCHING_ENQUEUE_TIMEOUT
GIT_SSH_KEY_FILE
CLIENT_SELF_SIGNED_CERTIFICATES_ALLOWED	Whether or not OPAL Client will trust HTTPs connections protected by self signed certificates. Not to be used in Production.
CLIENT_SSL_CONTEXT_TRUSTED_CA_FILE	A path to your own CA public certificate file (usually a .crt or a .pem file). Certificates signed by this issuer will be trusted by OPAL Client. Not to be used in Production.
AUTH_PUBLIC_KEY_FORMAT
AUTH_PUBLIC_KEY
AUTH_JWT_ALGORITHM	JWT algorithm. See possible values here.
AUTH_JWT_AUDIENCE
AUTH_JWT_ISSUER

OPAL Server Configuration Variables

Variables	Description	Example
AUTH_JWT_ISSUER
AUTH_JWT_ISSUER
CLIENT_LOAD_LIMIT_NOTATION	If supplied, rate limit would be enforced on the servers websocket endpoint. Format is limits-style notation (e.g. 10 per second). Learn more.
BROADCAST_URI
BROADCAST_CHANNEL_NAME
BROADCAST_CONN_LOSS_BUGFIX_EXPERIMENT_ENABLED
AUTH_PRIVATE_KEY_FORMAT
AUTH_PRIVATE_KEY_PASSPHRASE
AUTH_PRIVATE_KEY
AUTH_JWKS_URL
AUTH_JWKS_STATIC_DIR
AUTH_MASTER_TOKEN
POLICY_SOURCE_TYPE	Set your policy source, this can be GIT / API.
POLICY_REPO_URL	Set your remote repo URL - this is relevant only to GIT source type E.g. view example.
POLICY_BUNDLE_URL	Set your API bundle URL, this is relevant only to API source type.
POLICY_REPO_CLONE_PATH	Base path to create local git folder inside this path, that manages policy change.
POLICY_REPO_CLONE_FOLDER_PREFIX	Prefix for the local git folder.
POLICY_REPO_REUSE_CLONE_PATH	Set if OPAL server should use a fixed clone path (and reuse if it already exists) instead of randomizing its suffix on each run.
POLICY_REPO_MAIN_BRANCH
POLICY_REPO_SSH_KEY
POLICY_REPO_MANIFEST_PATH	Path of the directory holding the '.manifest' file (updated way), or of the manifest file itself (old way). Repo's root is used by default.
POLICY_REPO_CLONE_TIMEOUT	If set to 0, waits forever until successful clone.
LEADER_LOCK_FILE_PATH
POLICY_BUNDLE_SERVER_TYPE	HTTP (authenticated with bearer token, or nothing), AWS-S3(Authenticated with AWS REST Auth	AWS-S3
POLICY_BUNDLE_SERVER_TOKEN_ID	The Secret Token Id (AKA user id, AKA access-key) sent to the API bundle server.	AKIAIOSFODNN7EXAMPLE
POLICY_BUNDLE_SERVER_TOKEN	The Secret Token (AKA password, AKA secret-key) sent to the API bundle server.	wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
POLICY_BUNDLE_TMP_PATH	Path for temp policy file. It needs to be writable.
POLICY_BUNDLE_GIT_ADD_PATTERN	File pattern to add files to all the git default files.
REPO_WATCHER_ENABLED
PUBLISHER_ENABLED
BROADCAST_KEEPALIVE_INTERVAL	The time to wait between sending two consecutive broadcaster keepalive messages.
BROADCAST_KEEPALIVE_TOPIC	The topic on which we should send broadcaster keepalive messages.
MAX_CHANNELS_PER_CLIENT	Max number of records per client, after this number it will not be added to statistics, relevant only if STATISTICS_ENABLED.
STATISTICS_WAKEUP_CHANNEL	The topic a waking-up OPAL server uses to notify others he needs their statistics data.
STATISTICS_STATE_SYNC_CHANNEL	The topic other servers with statistics provide their state to a waking-up server.
ALL_DATA_TOPIC	Top level topic for data.
ALL_DATA_ROUTE
ALL_DATA_URL	URL for all data config [If you choose to have it all at one place].
DATA_CONFIG_ROUTE	URL to fetch the full basic configuration of data.
DATA_CALLBACK_DEFAULT_ROUTE	Exists as a sane default in case the user did not set OPAL_DEFAULT_UPDATE_CALLBACKS.
DATA_CONFIG_SOURCES	Configuration of data sources by topics.
DATA_UPDATE_TRIGGER_ROUTE	URL to trigger data update events.
POLICY_REPO_WEBHOOK_SECRET
POLICY_REPO_WEBHOOK_TOPIC
POLICY_REPO_WEBHOOK_ENFORCE_BRANCH
POLICY_REPO_WEBHOOK_PARAMS
POLICY_REPO_POLLING_INTERVAL
ALLOWED_ORIGINS
FILTER_FILE_EXTENSIONS
NO_RPC_LOGS
SERVER_WORKER_COUNT	(If run using the CLI) - Worker count for the server [Default calculated to CPU-cores].
SERVER_HOST	(If run using the CLI) - Address for the server to bind.
SERVER_BIND_PORT	(If run using the CLI) - Port for the server to bind. (replaces deprecated SERVER_PORT)
ENABLE_DATADOG_APM	Set if OPAL server should enable tracing with datadog APM.
SCOPES
REDIS_URL
BASE_DIR
POLICY_REFRESH_INTERVAL
OPAL_WS_ROUTE
SERVER_WS_URL
SERVER_PUBSUB_URL
CLIENT_TOKEN	The OPAL Server Auth Token.
CLIENT_API_SERVER_WORKER_COUNT	(If run using the CLI) - Worker count for the opal-client's internal server.
CLIENT_API_SERVER_HOST	(If run using the CLI) - Address for the opal-client's internal server to bind.
CLIENT_API_SERVER_PORT	(If run using the CLI) - Port for the opal-client's internal server to bind.
WAIT_ON_SERVER_LOAD	If set, client would wait for 200 from server's loadlimit endpoint before starting background tasks.
OPAL_POLICY_REPO_URL	The repo url the policy repo is located at. Must be available from the machine running OPAL (opt for public internet addresses). Supported URI schemes: https:// and ssh{" "} (i.e: git@).
OPAL_POLICY_REPO_SSH_KEY	The content of the var is a private crypto key (i.e: SSH key). You will need to register the matching public key with your repo. For example, see the{" "} GitHub tutorial {" "} on the subject. The passed value must be the contents of the SSH key in one line (replace new-line with underscore, i.e: \n with{" "} _).
OPAL_POLICY_REPO_CLONE_PATH	Where (i.e: base target path) to clone the repo in your docker filesystem (not important unless you mount a docker volume).
OPAL_POLICY_REPO_MAIN_BRANCH	Name of the git branch to track for policy files (default: master).
OPAL_BUNDLE_IGNORE	Paths to omit from policy bundle. List of glob style paths, or paths without wildcards but ending with "/**" indicating a parent path (ignoring all under it).	bundle_ignore: Optional[List[str]]

OPAL Client Configuration Variables

Variables	Description	Example
POLICY_STORE_TYPE
POLICY_STORE_AUTH_TYPE	The authentication method for connecting to the policy store. Possible values are oauth or token
POLICY_STORE_AUTH_TOKEN	The authentication (bearer) token OPAL client will use to authenticate against the policy store (i.e: OPA agent).
POLICY_STORE_AUTH_OAUTH_SERVER	The authentication server OPAL client will use to authenticate against for retrieving the access_token.
POLICY_STORE_AUTH_OAUTH_CLIENT_ID	The client id OPAL will use to authenticate against the OAuth server.
POLICY_STORE_AUTH_OAUTH_CLIENT_SECRET	The client secret OPAL will use to authenticate against the OAuth server.
POLICY_STORE_CONN_RETRY	Retry options when connecting to the policy store (i.e. the agent that handles the policy, e.g. OPA).
POLICY_STORE_POLICY_PATHS_TO_IGNORE	Which policy paths pushed to the client should be ignored. List of glob style paths, or paths without wildcards but ending with "/**" indicating a parent path (ignoring all under it).
POLICY_UPDATER_CONN_RETRY	Retry options when connecting to the policy source (e.g. the policy bundle server).
INLINE_OPA_ENABLED	Whether or not OPAL should run OPA by itself in the same container.
INLINE_OPA_CONFIG	If inline OPA is indeed enabled, the user can set the server configuration options that affects how OPA will start when running opa run --server inline. Watch escaping quotes.	{"config_file":"/mnt/opa/config"}
INLINE_OPA_LOG_FORMAT
KEEP_ALIVE_INTERVAL
OFFLINE_MODE_ENABLED	If set, opal client will try to load policy store from backup file and operate even if server is unreachable. Ignored if INLINE_OPA_ENABLED=False
STORE_BACKUP_PATH	Path to backup policy store's data to
STORE_BACKUP_INTERVAL	Interval in seconds to backup policy store's data
POLICY_UPDATER_ENABLED	If set to FALSE, OPAL Client will not fetch policies or listen to policy updates.

Policy Updater Configuration Variables

Variables	Description	Example
POLICY_SUBSCRIPTION_DIRS	The directories in a policy repo we should subscribe to for policy code (rego) modules.

Data Updater Configuration Variables

Variables	Description	Example
DATA_UPDATER_ENABLED	If set to FALSE, OPAL Client will not listen to dynamic data updates.
DATA_TOPICS	Data topics to subscribe to.
DEFAULT_DATA_SOURCES_CONFIG_URL	Default URL to fetch data configuration from.
DEFAULT_DATA_URL	Default URL to fetch data from.
SHOULD_REPORT_ON_DATA_UPDATES	Should the client report on updates to callbacks defined in DEFAULT_UPDATE_CALLBACKS or within the given updates.
DEFAULT_UPDATE_CALLBACK_CONFIG
DEFAULT_UPDATE_CALLBACKS	Where/How the client should report on the completion of data updates.

OPA Transaction Log / Healthcheck Configuration Variables

Variables	Description	Example
OPA_HEALTH_CHECK_POLICY_ENABLED	Should we load a special healthcheck policy into OPA that checks that opa was synced correctly and is ready to answer to authorization queries.
OPA_HEALTH_CHECK_TRANSACTION_LOG_PATH	Path to OPA document that stores the OPA write transactions.
OPAL_CLIENT_STAT_ID	Unique client statistics identifier.
OPA_HEALTH_CHECK_POLICY_PATH
SCOPE_ID