Policy Sources
A policy source tells EnforceAuth where your Rego (and related policy files) live. On every deployment, the platform fetches from this source, runs tests, builds an OPA bundle, and publishes to your bundle destination.
Configure policy sources on the entity Configuration section (/entities/:id#configuration).
Where to configure
- Open System Settings → Entity Management (
/system-settings/entities). - Select an organization or system.
- Scroll to Configuration → Policy Source card.
- Title: Policy Source
- Description: Where policy files are stored and versioned
- Click edit to open Policy Source Configuration.
Org-level card note: Global default, can be overridden at system level.
System-level note: If blank, inherits from parent organization.
Inherited values show Inherited from parent name with an Inherited badge.
Storage types
The Storage Type field (storage_type) supports:
| Type | Typical use |
|---|---|
| Git | Production — versioned Rego in GitHub, GitLab, Bitbucket, or custom Git |
| S3 | Policy files in an S3 bucket |
| GCS | Policy files in Google Cloud Storage |
| Azure | Policy files in Azure Blob Storage |
| Filesystem | Local dev only — UI warns: Filesystem storage is for development only |
Policy engine (policy_engine): OPA (Rego) is production today. Arbi (Cedar) and iBar (Zanzibar) appear in the form for future engines.
Git policy source (recommended)
| Field | Purpose |
|---|---|
Service (repository_service) | GitHub, GitLab, Bitbucket, or Custom |
| Repository URL * | e.g. https://github.com/org/repo |
| Branch | Default branch to clone (form default: main) |
| Credentials Secret | Optional secret reference for private repos |
| Policy Path | Directory within the repo, e.g. policies/ |
| Path Mode | Override parent or Append to parent when inheriting |
Connect GitHub at the tenant level
Before private GitHub repos work reliably, install the EnforceAuth GitHub App:
- System Settings → Integrations (
/system-settings/integrations) - Click Connect GitHub
- Choose github.com or GitHub Enterprise Server (with hostname)
This lets policy sources read private repositories without every user supplying a personal access token. Entity policy sources can still reference a Credentials Secret when needed.
Cloud and filesystem sources
Amazon S3
- Bucket *, Region *, optional Credentials Secret
- Policy Path and Path Mode as above
Google Cloud Storage
- Bucket *, GCP Project ID *, optional Credentials Secret
Azure Blob
- Storage Account Name *, Container Name *
- Credentials Secret * — required; help text: Azure storage account key is required
Filesystem
- Path * — development workflows only
Path inheritance
When a child entity inherits a parent's policy source:
- Override parent — replace the parent's policy path entirely
- Append to parent — compose paths; the UI shows merged paths via InheritedPathDisplay
Set paths deliberately so deploys clone the Rego tree you intend.
Per-environment overrides
In Environments configuration, each environment can override Git Branch and Policy Path (or cloud Object Prefix):
| Environment field | Applies to |
|---|---|
| Branch * | Git/filesystem only |
| Policy Path / Object Prefix | Path within storage for that environment |
| Auto-deploy | Git only — trigger deploys on push |
| Promotes To | Next environment in the promotion chain |
Validation enforces unique branch/path combinations and detects promotion cycles.
Test connection
Use Test Connection on the policy source form before saving. Fix credential or URL issues early — failed clones surface as deployment failures in the Fetching phase.
For a full troubleshooting tree (GitHub App, branch/auth errors, S3 policy paths), see GitHub and storage integration troubleshooting.
Troubleshooting (quick reference)
| Symptom | First check |
|---|---|
| Test Connection: branch not found | Branch name; available branches in error details |
| Test Connection: auth failed | GitHub App repo access or PAT scopes |
| Test Connection: credentials failed | Secret ARN and entity inheritance |
| Deploy fails Fetching | Same as above + policy_path in repo |
| Public repo warning on success | Add App or PAT before deploy if repo is private |
Full guide: Integrations troubleshooting.
Secrets for credentials
Create secrets under the entity (or ancestor) Secrets section. Types include:
- Generic Secret — Git tokens
- AWS S3 Credentials / AWS IAM Role
- GCS Service Account
- Azure Storage Account Key
The Credentials Secret picker lists secrets available to the entity and its ancestors.
Verify success
- Test Connection succeeds
- Manual Deploy reaches Fetching and Testing without clone errors
- Policies appear on the Policies tab from the expected repo path
- Environment-specific branches deploy the intended commits
Related guides
- Entity model — inheritance and org vs system
- Bundle destinations
- Deployments
- Policy management
- 15-minute quickstart — full setup walkthrough
- GitHub Actions and CI/CD
- Getting started