Configuring Bundle Registry with the Styra DAS UI
To configure the Bundle Registry through the Styra DAS UI:
-
Login to the Styra DAS UI.
-
Select the System for Bundle Registry.
-
Select Settings >> Bundle Registry.
-
Configure Policy bundle deployment using one of the following options, Automatic or Manual.
-
Configure Max deployed policy bundles to keep. The Maximum number of deployed policy bundles to keep when deploying manually and this field is useful for rollback. The default is
10
. -
Configure Max policy bundles to keep. The Maximum number of built and deployed policy bundles to keep. The default is
100
. -
Configure Policy bundle registry. Select one of the following from the drop-down list.
-
Styra DAS: Styra DAS stores policy bundles and the history of past bundles. OPA downloads bundles from Styra DAS. Click Save changes to save your changes or the Reset button to reset the changes.
-
Amazon S3: Styra DAS stores policy bundles and the history of past bundles in the specified Amazon S3 bucket. Enter the details required for the following fields.
-
Region (required): Select an Amazon S3 region from a drop-down list.
-
Bucket Name (required): A string representing the bucket name.
-
Endpoint: A gateway endpoint. For more information, see Amazon S3 Endpoints.
-
Access Keys for IAM Users: Enter the following access key credentials.
-
Access Key ID (required): Enter the access key ID. For more information, see AWS IAM User Access Keys.
-
Secret Access Key (required): The Styra DAS secret is required if you are using an Amazon S3 bucket within your own AWS account.
-
-
Discovery bundle path (required): A string representing the discovery bundle path.
-
Policy bundle path (required): A string representing the policy bundle path.
-
OPA credentials for S3 bucket: Select one of the following credentials from the drop-down list.
-
Environment credentials: SLP/OPA expects to find environment variables for
AWS_ACCESS_KEY_ID
,AWS_SECRET_ACCESS_KEY
, andAWS_REGION
. -
Metadata credentials: OPA will use the AWS metadata services for EC2 or ECS to obtain the necessary credentials when running within a supported virtual machine or container. Default is IAM Role.
noteFor OPA pods to retrieve credentials from EC2 metadata API, the
--http-put-response-hop-limit
on the EKS worker nodes must be set to2
.- Web identity credentials: OPA expects to find environment variables for
AWS_ROLE_ARN
andAWS_WEB_IDENTITY_TOKEN_FILE
, in accordance with the convention used by the AWS EKS IAM Roles for Service Accounts. The default session name isopen-policy-agent
.
-
-
-
Google Cloud Storage: Styra DAS stores policy bundles and the history of past bundles in the specified Google Cloud Storage bucket. Enter the details required for the following fields.
-
Region (required): Select an Google Cloud Storage region from a drop-down list.
-
Bucket Name (required): A string representing the bucket name.
-
Endpoint: A gateway endpoint. For more information, see GCP Endpoints.
-
Service Account Hash-based Message Authentication Code (HMAC): An HMAC key is a type of credential and can be associated with a service account or a user account in Cloud Storage. Enter the following access key credentials.
-
Access Key (required): Enter the access key ID. For more information, see GCP Service Account HMAC.
-
Secret (required): The Styra DAS secret is required if you are using a Google Storage bucket within your own Google Storage account.
-
-
Discovery bundle path (required): A string representing the discovery bundle path.
-
Policy bundle path (required): A string representing the policy bundle path.
-
OPA credentials for GCS bucket: Environment credentials
-
-
-
(Optional) To configure Delta Bundles, enable the toggle switch.
-
(Optional) To configure Separate Data Bundles and Policy Bundles, which is required for Bundle Promotion, enable the toggle switch.
- (Optional) If Manual distribution is also enabled for the System and separate Data Bundles are enabled, the Data Bundle can optionally be configured with Automatic distribution. With this configuration, Policy Bundle changes will be manually distributed while Data Bundle changes will be automatically distributed.
-
Click the Save changes button.