I'm trying to fetch a bundle.tar.gz from a locally hosted s3-compatible storage (MinIO) and when anonymous access to the bucket is enabled, everything goes fine. Unfortunately, I need anonymous access disabled as part of the project owner's requirements. The credentials I have are an Access Key Id and Secret Access key. Is there a way to get the bundle file with these crendentials?

Hi @Charlie Batten - welcome 🙂 I’m planning on answering you here, I’m just in a few meetings at the moment - will reply soon

Thank you so much - there's no rush at all!

Answered on Github, but adding here as well 🙂 You can use the

OPAL_POLICY_BUNDLE_SERVER_TOKEN

env-var to have the OPAL-server use an “Authorization”, “Bearer {token}” header.

Yes, unfortunately, I don't believe I have a way to generate a bearer token for use in that env var. If it does help, our previous deployment was using OPA (without OPAL) with the following arguments:

@echo off
SET AWS_ACCESS_KEY_ID=REDACTED
SET AWS_SECRET_ACCESS_KEY=REDACTED
SET AWS_REGION=uk
opa_windows_amd64.exe run -s -l debug --set "services.s3.url=<http://s3-local>" --set "services.s3.credentials.s3_signing.environment_credentials=null" --set "bundles.authz.service=s3" --set "bundles.authz.resource=open-policy-agent-bundles/env/bundle.tar.gz"

Would there be a way to pass this data through OPAL into OPA?

I’m afraid not, as it is not OPA talking to the bundle-server but the OPAL-server. This is a missing feature - would you be willing to try and do a PR for it? Otherwise I can check if @Asaf Cohen / @Ro'e Katz / @Ori Shavit can get to it next week

I'm afraid that python is far from my specialty and I'm kind of muddling my way around as is 😕

Got it, and can it wait for early next week?

Yes of course! That would be brilliant 😄

Cool. I’ll get the team on it 😇

Thank you so so so much

Hi Charlie - lacking free team members to work on this I ended up doing it myself https://github.com/permitio/opal/pull/472 Can you give it a try before we merge it to master ?

Hi Or, I gave it a quick go yesterday, but was unsuccessful in making the request. I'll have a play with it today and see if I can get it working 🙂

That's awesome! Teamwork 💪 A new branch and pull request would be better for the CR flow

I'm trying to push the branch, and am getting this error:

remote: Permission to permitio/opal.git denied to cbat98.fatal: unable to access '<https://github.com/permitio/opal.git/>': The requested URL returned error: 403

Hi @Charlie Batten in order to contribute you need to fork the OPAL repo and then open a pull request from a branch on your fork repo to @Or Weis’s branch on the main OPAL repo

I see, thanks Asaf. I'll get on that 🙂

Really exciting @Charlie Batten !! We are honored your first contribution is to OPAL 🙂

PR is up 🙂

Will review shortly.

@Charlie Batten Sending you a DM 🙂

Do you have a release cycle for releasing versions of the docker images to docker hub?

@Ro'e Katz is aiming for a release next week. In general - on avg. we do once a month.

Ok thank you 😄