Is it possible to use environment variables in policies? Something like

expr: P.attr.foo = env["FOO"]

?

It's not possible to access environment variables but you can pass them from your application as part of the resource attributes. Am I understanding correctly that you'd like to set environment variables for the Cerbos PDP server and use them in policies? Can you explain the use case?

Basically, yes. I was hoping to pull information from the PDP environment directly, instead of having to collect them, pass them to the PDP via the PEP. We have some special compliance related policies, that depend on some deployment environment constraints.

I guess the other option would be to have environment-specific policies (potentially using some kind of YAML templating tool)... not sure if that is better or worse than collecting and passing the properties to the PDP though, depends on your setup!

That's our current work-around... It feels wrong, though 🙂 Would you guys be interested in a PR for such a feature?

I've raised a feature request to discuss possible ways that we could handle this use case - not 100% sold on exposing all of the environment variables to the policies, but I have a proposal on the ticket that would allow specific variables to be made available. Feel free to chime in on the ticket if you have any thoughts on it!

Great, Thank You!