Skip to main content

Bundle Destinations

A bundle destination is where EnforceAuth publishes OPA bundles after a successful deployment. Your PDPs (OPA, EOPA, or sidecars) pull bundles from this location.

Configure on the entity Configuration section (/entities/:id#configuration) → Bundle Destination card.

  • Description: Where compiled policy bundles are stored
  • Edit sheet title: Bundle Destination Configuration

Supported output types

Output Type (storage_type) supports object storage only:

TypeFields
S3Bucket name, region, bundle path, credentials
GCSBucket name, project ID, bundle path, credentials
AzureStorage account name, container name, bundle path, credentials

Git is a policy input only — it is not a bundle destination in EnforceAuth.

Field reference

Amazon S3

FieldNotes
Bucket Name *Lowercase, DNS-style naming rules apply
Region *Select from region list
Bundle PathFull object key, e.g. policies/bundle.tar.gz — cannot end with /
Credentials SecretOptional IAM user key or use inherited secrets

Google Cloud Storage

FieldNotes
Bucket Name *GCS naming rules (no google prefix abuse, no ..)
Project ID *GCP project owning the bucket
Bundle PathSame rules as S3
Credentials SecretService account JSON

Azure Blob Storage

FieldNotes
Storage Account Name *
Container Name *
Bundle Path
Credentials Secret *Storage account key — required

Placeholder for bundle path: policies/bundle.tar.gz. Help text: Full path to the bundle file (e.g., policies/bundle.tar.gz).

Inheritance

Same model as policy sources:

  • Org defines a default destination; systems inherit unless they override
  • Inherited from parent name when using ancestor config
  • Deploy eligibility requires an effective bundle destination (own or inherited)

Per-environment bundle overrides

Each environment in Environments config can override Bundle Path only (bundle_destination.bundle_path). Storage backend fields — bucket, region, account, container, project — always inherit from the entity-level destination.

Help text: Override the bundle path for this environment. Other storage settings are inherited from the base bundle destination.

If no base destination exists, the UI warns: No bundle destination configured. Each environment will use default S3 settings... — configure the entity-level destination first.

At deploy time, EnforceAuth merges the environment override with the base destination (EA-653 effective config resolution).

Test connection

Click Test Connection on the bundle destination form. Success and failure messages are storage-specific (S3/GCS/Azure bundle verification strings in the console).

For S3, Test Connection runs a write → read → delete probe on your bundle prefix — the same class of permission errors that block the Deploying phase.

See GitHub and storage integration troubleshooting for IAM, bucket policy, and region checklists.

Troubleshooting (quick reference)

SymptomFirst check
Bundle verify failed / AccessDeniedPutObject, GetObject, DeleteObject on bundle prefix — IAM checklist
Credentials retrieval failedSecret type and entity scope
Deploy Deploying failedPipeline logs; compare region and path
Console Success, PDP stalePDP bundle URL vs deployed path — PDP integration

PDP alignment

After deploy, confirm your OPA configuration points at the same bucket/path EnforceAuth writes. A common drift symptom: deployment Success in the console but PDPs still evaluate an old bundle URL.

See Multi-environment best practices.

Verify success

  • Test Connection passes for the chosen storage type
  • Deployment pipeline reaches DeployingComplete
  • Object appears at the configured path in S3/GCS/Azure
  • PDP bundle download URL matches the deployed path
  • Decision logs reference the new bundle version