Hello everyone, I'm new to the channel and I'm experimenting with Cerbos. Specifically, I wanted to use an Envoy sidecar for authorization (authz) with Cerbos. However, I'm having difficulty providing the appropriate payload. Have you ever done this kind of testing? Are there any particular Envoy libraries that could help me use Cerbos within Envoy?

Hi there! In order to fit the external AuthZ interface that envoy requires, a small shim/proxy is required to convert between the that and the Cerbos PDP call.

Hi! thx. But is there some product that can do that or is a custom proxy?

Hey, in order to use Cerbos with Envoy, you'll need something that takes the Envoy external authz payload (which basically describes the request) and converts it to principal, resource and attribute definitions that the Cerbos API needs. There are no third-party products that do that. We don't have a product that does that either because the HTTP request is too generic and describing how you want to extract parts from that to describe your principal, resource etc. is too cumbersome to do declaratively. Because you know exactly how your requests are structured, it's much easier and cleaner to just write a program yourself to extract the relevant information and pass those on to Cerbos .

Thank you for your answer!