Envoy Authorization Service

Appearance

Envoy Authorization Service

Policy-driven, flexible and extensible access control with full observability built-in

Get Started
View on GitHub
Envoy Authorization Service
🚀

Production-Ready

Graceful shutdown, health endpoints, structured logging and sensible defaults.

High Performance Pipeline

Concurrent controller execution with smart caching to keep latency low under load.

📜

Authz Policy DSL

Compose precise authorization rules with validated boolean expressions over controller verdicts.

📊

Full Observability

Prometheus metrics, structured logs, and health checks with per-controller timings and error tracking.

🏷️

Header Injection

Inject analysis results into upstream and downstream headers to propagate trust signals safely.

🧩

Configurable Controllers

Drop-in analysis and match controller plugins so you can ship custom analysis/match logic.

🌐

IP & User-Agent Intelligence

Built-in MaxMind GeoIP/ASN enrichment and UA detection to add context before matching.

🧭

Geofencing

Enforce geographic policies with GeoJSON polygon matching and region-aware rules.

🗄️

External Data Sources

Redis and PostgreSQL integrations for dynamic IP/ASN lists and threat-intel driven decisions.

How it works?

The Envoy Authorization Service implements the Envoy gRPC External Authorization API with a three-phase pipeline:

  1. Analysis Phase: Extract and enrich request metadata (GeoIP, ASN, User Agent, etc...)
  2. Match Phase: Execute multiple match controllers concurrently
  3. Policy Evaluation: Combine match verdicts using boolean expressions (eg. (corporate-network || partner-ip) && !evil-network)

This architecture enables composable authorization patterns while maintaining high performance and observability.

Quick Start

Docker:

bash
docker pull ghcr.io/gtriggiano/envoy-authorization-service:1.4.0
docker run -v $(pwd)/config.yaml:/config.yaml ghcr.io/gtriggiano/envoy-authorization-service:1.4.0 start --config /config.yaml

Binary:

Download the build for your arch:

bash
curl -LO https://github.com/gtriggiano/envoy-authorization-service/releases/v1.4.0/download/envoy-authorization-service-linux-amd64
chmod +x envoy-authorization-service-linux-amd64
mv envoy-authorization-service-linux-amd64 /usr/local/bin/envoy-authorization-service
bash
curl -LO https://github.com/gtriggiano/envoy-authorization-service/releases/v1.4.0/download/envoy-authorization-service-linux-arm64
chmod +x envoy-authorization-service-linux-arm64
mv envoy-authorization-service-linux-arm64 /usr/local/bin/envoy-authorization-service
bash
curl -LO https://github.com/gtriggiano/envoy-authorization-service/releases/v1.4.0/download/envoy-authorization-service-darwin-amd64
chmod +x envoy-authorization-service-darwin-amd64
mv envoy-authorization-service-darwin-amd64 /usr/local/bin/envoy-authorization-service
bash
curl -LO https://github.com/gtriggiano/envoy-authorization-service/releases/v1.4.0/download/envoy-authorization-service-darwin-arm64
chmod +x envoy-authorization-service-darwin-arm64
mv envoy-authorization-service-darwin-arm64 /usr/local/bin/envoy-authorization-service

Then

bash
envoy-authorization-service start --config config.yaml

Example Configuration

Note

You need MaxMind databases to run this example.

yaml
analysisControllers:
  - name: asn-analysis
    type: maxmind-asn
    settings:
      databasePath: GeoLite2-ASN.mmdb
  - name: geoip-analysis
    type: maxmind-geoip
    settings:
      databasePath: GeoLite2-ASN.mmdb

Released under the MIT License
Envoy Proxy is a project of the Cloud Native Computing Foundation (CNCF)

Copyright © 2026 Giacomo Triggiano