Skip to main content

Deploying OPA on GCE

This section outlines the steps to deploy OPA on virtual machines within Google Compute Engine (GCE). GCE is a versatile options to run an OPA Policy Decision Point (PDP) without containers, and is a good fit for various use cases that require integration with GCE-based applications. The following use cases often involve running OPA on GCE:

  • OPA needs to run close to an existing application or Policy Enforcement Point (PEP) or application running on GCE, sharing the same host to achieve low-latency policy checks.
  • Your deployment process for GCE is well-established, and you’re adding OPA to your toolset.
  • You want to quickly set up an OPA instance for testing or development activities.

This guide will walk you through the steps and considerations for setting up and managing an OPA Policy Decision Point (PDP) on GCE.

Choosing an Operating System Image

While OPA can run on almost any GCE machine type, a Linux-based operating system image is recommended.

It is also recommended to use a service manager to run OPA. This ensures that OPA starts at boot time and is restarted if it crashes. This guide uses Systemd as the service manager, as this is what is used in most commonly available operating system images on GCE.

If you are unsure of which operating system image to use, it is recommended to run OPA on the latest default image available on GCE with Systemd, typically Debian.

Choosing a Machine Type

The machine type you choose is based on the expected load and memory requirements of the data needed for policy evaluation once loaded into OPA. While OPA itself is lightweight, in some cases, the data required for policy evaluation can be large datasets of users, roles, and other information necessary for decision-making.

Users are always recommended to benchmark the memory performance of OPA with their data loaded. Read more about OPA Resource Utilization.

On GCE, using a machine type smaller than e2.small is not recommended.

info

For readers looking to add an OPA process to run alongside their existing GCE application within the same virtual machine, it is recommended to verify that running OPA alongside the application will not cause performance issues before selecting a machine type for production use.

Networking Considerations

Public IP Addresses: These are typically not required for OPA deployments. PEPs calling OPA are generally other internal services, rather than end-users. If exposing an OPA instance running on GCE to the internet, it is recommended to use OPA's own Authentication and Authorization functionality to secure the API and to run OPA behind a reverse proxy or load balancer.

Firewall Rules: If OPA needs to be accessed by other services running in GCP, you must permit inbound traffic on the port that OPA is listening on. The default port for OPA is 8181. It is also recommended to restrict the source IP addresses to only those that need to access OPA. For GCE, these settings can be configured in using firewall Rules.

info

When OPA need only be accessed from the virtual machine it is running on, OPA can be configured to listen on localhost instead.

If you need to run OPA on a low number port on GCE, you might need to add the following to the startup script to allow OPA to bind to the port:

setcap 'cap_net_bind_service=+ep' /usr/local/bin/opa

Startup Script

Once you have chosen the specifications for your GCE machine, it’s time to install and run OPA.

Setting a startup script when creating a GCE instance to install and run OPA is the recommended way to create a new GCE instance with OPA installed - that is, if you are not creating a custom image with OPA pre-installed. This section shows a startup script that will install and run OPA. In summary, the script will:

  • Download the OPA binary for the latest release.
  • Download the OPA configuration file from Styra DAS.
  • Start OPA using Systemd with this configuration file listening on port 8181.

Before continuing, please ensure you have the following information:

  • DAS API Token:
  • DAS System ID:
  • DAS Tenant URL:
  • OPA Version: , e.g. X.Y.Z not latest or vX.Y.Z. Review the OPA releases on GitHub.

Once you have completed the above, please use the startup script below to install and run OPA:

#!/bin/bash

curl -L -o /usr/local/bin/opa https://github.com/open-policy-agent/opa/releases/download/v/opa_linux_amd64
chmod 755 /usr/local/bin/opa

cat <<EOF > /etc/systemd/system/opa.service
[Unit]
Description=Open Policy Agent
After=network.target
StartLimitInterval=60
StartLimitBurst=4

[Service]
ExecStartPre=/usr/bin/curl -v -H "Authorization: Bearer " -o /run/opa/opa-conf.yaml "/v1/systems//assets/opa-config"
ExecStart=/usr/local/bin/opa run --server --addr=0.0.0.0:8181 --config-file=/run/opa/opa-conf.yaml

RuntimeDirectory=opa
WorkingDirectory=/run/opa

Restart=always
RestartSec=5
Restart=on-failure

DynamicUser=yes
ProtectSystem=full
PrivateTmp=yes

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable opa.service
systemctl start opa.service

Further Reading

  • SDKs for building PEP applications in your language of choice.