Skip to main content

Deployment and Operation

Edge authorizers can be deployed in various ways based on the application and target environment needs and requirements. In its most basic form, an authorizer is a Docker container instance, which can be deployed as a standalone service, sidecar, or development workstation.

An edge authorizer always operates in the context of a (single) Aserto organization and is assigned a specific policy instance to serve. This information is provided to the edge authorizer via a configuration file, which it uses to send a discovery call to the Aserto control plane.

Edge Authorizer Flavors


The onebox authorizer flavor has been deprecated. Please use the sidecar.

Currently the following flavors of edge authorizers are available:

  • Sidecar: a single-tenant, single policy authorizer without a web UI. The sidecar is the general edge authorizer flavor with a small surface area, which can be used as a sidecar but also as a local service instance.

Docker images

Sidecardocker pull

Running the Edge Authorizer

You can run the sidecar authorizer using aserto CLI. First, you need to configure your sidecar instance by running the following command. Note that POLICY_INSTANCE_NAME below is the name of a policy instance you created in the console. You can optionally turn on decision logging by using the corresponding flag:

aserto developer configure <POLICY_INSTANCE_NAME> [--decision-logging]

To configure the sidecar to connect to the Aserto control plane, use the following command. Note that EDGE_AUTHORIZER_CONNECTION_ID is the connection ID of an edge authorizer that you created in the Aserto console.

aserto developer configure <POLICY_INSTANCE_NAME> --edge-authorizer=<EDGE_AUTHORIZER_CONNECTION_ID> [--decision-logging]

To list the available edge authorizer connections, use the following command:

aserto control-plane list-connections

Then, start the sidcar instance by running the following command. Note that if you turned on decision logging in the configure command, you need to specify the --data-path flag, where the DECISION_LOG_DIRECTORY is a path to where the decision logs will be stored.

aserto developer start <POLICY_INSTANCE_NAME> [--data-path=<DECISION_LOG_DIRECTORY>]

Or by using the docker CLI selecting the correct image (

#!/usr/bin/env bash

docker run \
-ti \
--rm \
--name sidecar \
--platform=linux/amd64 \
-p 8282:8282 \
-p 8383:8383 \
-p 8484:8484 \
-v $PWD/certs:/certs:rw \
-v $PWD/cfg:/app/cfg:ro \
-v $PWD/eds:/app/db:rw \ run \
--config-file /app/cfg/config.yaml