RATATOSKRATATOSK
Sign in

Open Policy Agent (OPA)

v1.15.0Security
Mar 27, 2026

OPA v1.15.0 adds a pluggable logging system with file rotation, breaks custom HTTPAuthPlugin implementations, and extends AWS signing to support web identity credentials.

  • breakingAudit and fix custom HTTPAuthPlugin implementations before upgrading

    If you've built a custom HTTPAuthPlugin, NewClient() is now called once per Client instance, not per request. Any per-request logic (counters, transport wrapping, logging side effects) sitting in NewClient() will now execute exactly once and silently produce wrong behavior. Before upgrading, audit your plugin and move all per-request logic to Prepare(). OPA's own built-in plugins are already updated, so this only affects teams with custom plugins.

  • enhancementAdopt the file logger plugin to consolidate OPA log management

    The new file_logger plugin writes structured JSON logs with automatic rotation, covering both runtime and decision logs through a single configuration block under server.logger_plugin. If you're currently tailing OPA stdout or piping to an external log shipper, switching to the file logger reduces operational complexity and gives you rotation out of the box. Decision log plugin output via the same logger plugin is a clean alternative to the HTTP bundle endpoint for low-latency environments.

  • enhancementEnable web identity credentials for AWS-backed OPA deployments on EKS

    OPA running on EKS with IRSA (IAM Roles for Service Accounts) can now use Web Identity tokens directly for Assume Role credential flows in AWS Signing. If you've been working around this with instance profile credentials or manual token injection, you can now configure this natively. Update your REST plugin AWS signing config to use the web identity provider and align with standard EKS IAM patterns.

Key changes (5)

  • New logger plugin interface (based on Go's slog.Handler) lets you route OPA runtime and decision logs to custom destinations, including a built-in file logger with rotation via lumberjack
  • Breaking: HTTPAuthPlugin.NewClient() is now called once and cached — per-request logic there will silently stop working; move it to Prepare()
  • AWS Signing now supports Web Identity (Service Account) credentials for Assume Role flows
  • TLS client cert re-reads are now configurable via cert_reread_interval_seconds, with content hashing to skip unnecessary re-parses
  • All TLS configurations now inherit server-level minimum version and ciphersuite settings — previously per-client TLS configs could diverge