S3 Sink Configuration | Enterprise OPA
The S3 decision log sink allows publishing decision log entries as
JSON files onto any S3-compatible blob store.
It is configured by creating a sink with an output.type of s3.
Example Configuration
decision_logs:
plugin: eopa_dl
plugins:
eopa_dl:
output:
- type: s3
endpoint: https://internal.s3.example.com
bucket: logs
access_key_id: mysecretkeyid
access_secret: F66CB198AC4B4E08A6A6A33775B7ACFE
timeout: "10s"
tls:
cert: path/to/cert.pem
private_key: path/to/key.pem
ca_cert: path/to/ca.pem
skip_cert_verify: false # default false
batching:
at_period: "10s" # flush batch every 10 seconds
at_count: 10 # flush batch every 10 log entries
at_bytes: 10240 # flush batch whenever 10240 bytes are exceeded
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
output.endpoint | string | No | empty (use AWS S3) | API Endpoint for the S3 compatible blob store. |
output.region | string | Yes | The API region to use. | |
output.bucket | string | Yes | The bucket where logs are sent to. | |
output.access_key_id | string | Yes | The API access key ID to use. | |
output.access_secret | string | Yes | The API access secret to use. | |
output.force_path | bool | No | false | Use path-style API calls (e.g. for S3-compatible APIs without wildcard DNS entries). |
output.timeout | string | No | Timeout (e.g. 10s) | |
output.tls | Object | No | See TLS configuration | |
output.batching | Object | No | See Batching configuration |