Difficulty: Beginner
Estimated Time: 10 minutes

The Open Policy Agent (OPA) is an open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack.

OPA provides a high-level declarative language for authoring policies and simple APIs to answer policy queries. Using OPA, you can offload policy decisions from your service such as:

Should this API call be allowed? E.g., true or false. How much quota remains for this user? E.g., 1048. Which hosts can this container be deployed on? E.g., ["host1", "host40", ..., "host329"]. What updates must be applied to this resource? E.g., {"labels": {"team": "products}}. This tutorial shows how to get started with OPA using an interactive shell or REPL (read-eval-print loop).


REPLs are great for learning new languages and running quick experiments. You can use OPA's REPL to experiment with policies and prototype new ones.

To introduce the REPL, you will use dummy data and an example policy. In English, the policy can be stated as follows:

Servers that open an unencrypted HTTP port must not be connected to a public network. Inside the REPL, you will define rules that codify the policy stated above.

Once you finish this tutorial, you will be familiar with:

Running OPA as an interactive shell/REPL. Writing ad-hoc queries in Rego.

Open Policy Agent Tutorial

Step 1 of 3


If this is your first time using OPA, download the latest executable for your system.

On Linux (64-bit):

curl -L -o opa https://github.com/open-policy-agent/opa/releases/download/v0.10.1/opa_linux_amd64

Set permissions on the OPA executable:

chmod 755 ./opa