Skip to main content

Policy Sources

A policy source tells EnforceAuth where your Rego (and related policy files) live. On every deployment, the platform fetches from this source, runs tests, builds an OPA bundle, and publishes to your bundle destination.

Configure policy sources on the entity Configuration section (/entities/:id#configuration).

Where to configure

  1. Open System Settings → Entity Management (/system-settings/entities).
  2. Select an organization or system.
  3. Scroll to ConfigurationPolicy Source card.
    • Title: Policy Source
    • Description: Where policy files are stored and versioned
  4. Click edit to open Policy Source Configuration.

Org-level card note: Global default, can be overridden at system level.

System-level note: If blank, inherits from parent organization.

Inherited values show Inherited from parent name with an Inherited badge.

Storage types

The Storage Type field (storage_type) supports:

TypeTypical use
GitProduction — versioned Rego in GitHub, GitLab, Bitbucket, or custom Git
S3Policy files in an S3 bucket
GCSPolicy files in Google Cloud Storage
AzurePolicy files in Azure Blob Storage
FilesystemLocal dev only — UI warns: Filesystem storage is for development only

Policy engine (policy_engine): OPA (Rego) is production today. Arbi (Cedar) and iBar (Zanzibar) appear in the form for future engines.

FieldPurpose
Service (repository_service)GitHub, GitLab, Bitbucket, or Custom
Repository URL *e.g. https://github.com/org/repo
BranchDefault branch to clone (form default: main)
Credentials SecretOptional secret reference for private repos
Policy PathDirectory within the repo, e.g. policies/
Path ModeOverride parent or Append to parent when inheriting

Connect GitHub at the tenant level

Before private GitHub repos work reliably, install the EnforceAuth GitHub App:

  1. System Settings → Integrations (/system-settings/integrations)
  2. Click Connect GitHub
  3. Choose github.com or GitHub Enterprise Server (with hostname)

This lets policy sources read private repositories without every user supplying a personal access token. Entity policy sources can still reference a Credentials Secret when needed.

Cloud and filesystem sources

Amazon S3

  • Bucket *, Region *, optional Credentials Secret
  • Policy Path and Path Mode as above

Google Cloud Storage

  • Bucket *, GCP Project ID *, optional Credentials Secret

Azure Blob

  • Storage Account Name *, Container Name *
  • Credentials Secret * — required; help text: Azure storage account key is required

Filesystem

  • Path * — development workflows only

Path inheritance

When a child entity inherits a parent's policy source:

  • Override parent — replace the parent's policy path entirely
  • Append to parent — compose paths; the UI shows merged paths via InheritedPathDisplay

Set paths deliberately so deploys clone the Rego tree you intend.

Per-environment overrides

In Environments configuration, each environment can override Git Branch and Policy Path (or cloud Object Prefix):

Environment fieldApplies to
Branch *Git/filesystem only
Policy Path / Object PrefixPath within storage for that environment
Auto-deployGit only — trigger deploys on push
Promotes ToNext environment in the promotion chain

Validation enforces unique branch/path combinations and detects promotion cycles.

Test connection

Use Test Connection on the policy source form before saving. Fix credential or URL issues early — failed clones surface as deployment failures in the Fetching phase.

For a full troubleshooting tree (GitHub App, branch/auth errors, S3 policy paths), see GitHub and storage integration troubleshooting.

Troubleshooting (quick reference)

SymptomFirst check
Test Connection: branch not foundBranch name; available branches in error details
Test Connection: auth failedGitHub App repo access or PAT scopes
Test Connection: credentials failedSecret ARN and entity inheritance
Deploy fails FetchingSame as above + policy_path in repo
Public repo warning on successAdd App or PAT before deploy if repo is private

Full guide: Integrations troubleshooting.

Secrets for credentials

Create secrets under the entity (or ancestor) Secrets section. Types include:

  • Generic Secret — Git tokens
  • AWS S3 Credentials / AWS IAM Role
  • GCS Service Account
  • Azure Storage Account Key

The Credentials Secret picker lists secrets available to the entity and its ancestors.

Verify success

  • Test Connection succeeds
  • Manual Deploy reaches Fetching and Testing without clone errors
  • Policies appear on the Policies tab from the expected repo path
  • Environment-specific branches deploy the intended commits