Bundle Destinations
A bundle destination is where EnforceAuth publishes OPA bundles after a successful deployment. Your PDPs (OPA, EOPA, or sidecars) pull bundles from this location.
Configure on the entity Configuration section (/entities/:id#configuration) → Bundle Destination card.
- Description: Where compiled policy bundles are stored
- Edit sheet title: Bundle Destination Configuration
Supported output types
Output Type (storage_type) supports object storage only:
| Type | Fields |
|---|---|
| S3 | Bucket name, region, bundle path, credentials |
| GCS | Bucket name, project ID, bundle path, credentials |
| Azure | Storage account name, container name, bundle path, credentials |
Git is a policy input only — it is not a bundle destination in EnforceAuth.
Field reference
Amazon S3
| Field | Notes |
|---|---|
| Bucket Name * | Lowercase, DNS-style naming rules apply |
| Region * | Select from region list |
| Bundle Path | Full object key, e.g. policies/bundle.tar.gz — cannot end with / |
| Credentials Secret | Optional IAM user key or use inherited secrets |
Google Cloud Storage
| Field | Notes |
|---|---|
| Bucket Name * | GCS naming rules (no google prefix abuse, no ..) |
| Project ID * | GCP project owning the bucket |
| Bundle Path | Same rules as S3 |
| Credentials Secret | Service account JSON |
Azure Blob Storage
| Field | Notes |
|---|---|
| Storage Account Name * | |
| Container Name * | |
| Bundle Path | |
| Credentials Secret * | Storage account key — required |
Placeholder for bundle path: policies/bundle.tar.gz. Help text: Full path to the bundle file (e.g., policies/bundle.tar.gz).
Inheritance
Same model as policy sources:
- Org defines a default destination; systems inherit unless they override
- Inherited from parent name when using ancestor config
- Deploy eligibility requires an effective bundle destination (own or inherited)
Per-environment bundle overrides
Each environment in Environments config can override Bundle Path only (bundle_destination.bundle_path). Storage backend fields — bucket, region, account, container, project — always inherit from the entity-level destination.
Help text: Override the bundle path for this environment. Other storage settings are inherited from the base bundle destination.
If no base destination exists, the UI warns: No bundle destination configured. Each environment will use default S3 settings... — configure the entity-level destination first.
At deploy time, EnforceAuth merges the environment override with the base destination (EA-653 effective config resolution).
Test connection
Click Test Connection on the bundle destination form. Success and failure messages are storage-specific (S3/GCS/Azure bundle verification strings in the console).
For S3, Test Connection runs a write → read → delete probe on your bundle prefix — the same class of permission errors that block the Deploying phase.
See GitHub and storage integration troubleshooting for IAM, bucket policy, and region checklists.
Troubleshooting (quick reference)
| Symptom | First check |
|---|---|
| Bundle verify failed / AccessDenied | PutObject, GetObject, DeleteObject on bundle prefix — IAM checklist |
| Credentials retrieval failed | Secret type and entity scope |
| Deploy Deploying failed | Pipeline logs; compare region and path |
| Console Success, PDP stale | PDP bundle URL vs deployed path — PDP integration |
PDP alignment
After deploy, confirm your OPA configuration points at the same bucket/path EnforceAuth writes. A common drift symptom: deployment Success in the console but PDPs still evaluate an old bundle URL.
See Multi-environment best practices.
Verify success
- Test Connection passes for the chosen storage type
- Deployment pipeline reaches Deploying → Complete
- Object appears at the configured path in S3/GCS/Azure
- PDP bundle download URL matches the deployed path
- Decision logs reference the new bundle version
Related guides
- Policy sources
- Entity model
- Deployments
- API keys — authenticate decision log ingestion
- Decision logs