Skip to content

Envoy Authorization Service

Policy-driven, flexible and extensible access control with full observability built-in

Envoy Authorization Service

How it works?

The Envoy Authorization Service implements the Envoy gRPC External Authorization API with a three-phase pipeline:

  1. Analysis Phase: Extract and enrich request metadata (GeoIP, ASN, User Agent, etc...)
  2. Match Phase: Execute multiple match controllers concurrently
  3. Policy Evaluation: Combine match verdicts using boolean expressions (eg. (corporate-network || partner-ip) && !evil-network)

This architecture enables composable authorization patterns while maintaining high performance and observability.

Quick Start

Docker:

bash
docker pull ghcr.io/gtriggiano/envoy-authorization-service:1.4.0
docker run -v $(pwd)/config.yaml:/config.yaml ghcr.io/gtriggiano/envoy-authorization-service:1.4.0 start --config /config.yaml

Binary:

Download the build for your arch:

bash
curl -LO https://github.com/gtriggiano/envoy-authorization-service/releases/v1.4.0/download/envoy-authorization-service-linux-amd64
chmod +x envoy-authorization-service-linux-amd64
mv envoy-authorization-service-linux-amd64 /usr/local/bin/envoy-authorization-service
bash
curl -LO https://github.com/gtriggiano/envoy-authorization-service/releases/v1.4.0/download/envoy-authorization-service-linux-arm64
chmod +x envoy-authorization-service-linux-arm64
mv envoy-authorization-service-linux-arm64 /usr/local/bin/envoy-authorization-service
bash
curl -LO https://github.com/gtriggiano/envoy-authorization-service/releases/v1.4.0/download/envoy-authorization-service-darwin-amd64
chmod +x envoy-authorization-service-darwin-amd64
mv envoy-authorization-service-darwin-amd64 /usr/local/bin/envoy-authorization-service
bash
curl -LO https://github.com/gtriggiano/envoy-authorization-service/releases/v1.4.0/download/envoy-authorization-service-darwin-arm64
chmod +x envoy-authorization-service-darwin-arm64
mv envoy-authorization-service-darwin-arm64 /usr/local/bin/envoy-authorization-service

Then

bash
envoy-authorization-service start --config config.yaml

Example Configuration

Note

You need MaxMind databases to run this example.

yaml
analysisControllers:
  - name: asn-analysis
    type: maxmind-asn
    settings:
      databasePath: GeoLite2-ASN.mmdb
  - name: geoip-analysis
    type: maxmind-geoip
    settings:
      databasePath: GeoLite2-ASN.mmdb

Released under the MIT License
Envoy Proxy is a project of the Cloud Native Computing Foundation (CNCF)