Skip to content
Open Policy Agent-backed authentication in OpenFaaS Serverless functions
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
opa-auth initial commit Oct 15, 2019
stack.yml initial commit Oct 15, 2019


This repository provides an example of Open Policy Agent-backed authentication in OpenFaaS Serverless functions.

Quick Start

To try it out, you will need to have an OPA server in your OpenFaaS stack. A version implementing this by default can be found here. Once this is up and running, fetch the golang-http-gomod template and deploy as normal:

$ faas-cli template pull
$ faas-cli up --skip-push

Example Policy

A simple example rego policy is provided in order to get started. This policy prohibits access by default, allowing access to the named function only for a specified user:

package openfaas.authz

default allow = false

allow {
  input.function == "opa-auth"
  input.user == "alice"

Function Invocation

Invocation of the function is prohibited by default by the example policy:

$ curl -X POST

Retrying the request with the permitted named user succeeds:

$ curl -H 'Authorization: alice' -X POST
Authorization OK


Released under the terms of the MIT license.

You can’t perform that action at this time.