Skip to main content

Deployment and Operation

Edge authorizers can be deployed in various ways based on the application and target environment needs and requirements. In its most basic form, an authorizer is a Docker container instance, which can be deployed as a standalone service, sidecar, or development workstation.

An edge authorizer always operates in the context of a (single) Aserto organization and is assigned a specific policy instance to serve. This information is provided to the edge authorizer via a configuration file, which it uses to send a discovery call to the Aserto control plane.

Edge Authorizer Flavors

A couple of flavors of edge authorizers are available:

  • Onebox: a single-tenant, single policy authorizer with a built-in web UI, to be used as a developer workstation.
  • Sidecar: a single-tenant, single policy authorizer without a web UI. The sidecar is the general edge authorizer flavor with a small surface area, which can be used as a sidecar but also as a local service instance.

Docker images

Oneboxdocker pull
Sidecardocker pull

Running the Edge Authorizer

You can run the Onebox authorizer using aserto CLI. First, you need to configure your Onebox instance by running the following command:

aserto developer configure <POLICY_INSTANCE_NAME>

Then, start the Onebox instance by running:

aserto developer start <POLICY_INSTANCE_NAME>

Or by using the docker CLI selecting the correct image ( or

#!/usr/bin/env bash

docker run \
-ti \
--rm \
--name aserto-one \
--platform=linux/amd64 \
-p 8282:8282 \
-p 8383:8383 \
-p 8484:8484 \
-v $PWD/certs:/certs:rw \
-v $PWD/cfg:/app/cfg:ro \
-v $PWD/eds:/app/db:rw \ run \
--config-file /app/cfg/config.yaml