Skip to main content

Using OPCR

Aserto uses the Open Container Registry (OPCR) to store and retrieve policies, and we can use it directly to manage our policies. To interact with OPCR, we’ll need to install the OPCR CLI.

Install the OPCR CLI


You can install policy via homebrew for macOS or LinuxBrew for Linux:

brew install opcr-io/tap/policy


You can install policy via GO install:

go get -u

Sign in to

Just like with docker login, the policy CLI requires you to sign in to an OCIv2-compliant registry. To sign in to the registry, use the GitHub account you registered with, and a GitHub personal access token (PAT) as your password.

policy login -u <GitHub-account> -p <GitHub-PAT>

Pull the PeopleFinder image

policy pull aserto-templates/peoplefinder-rbac:0.0.1

Now the image is stored locally, we can make modifications to it.

Export (unbundle) the image

Create a new folder (for example “peoplefinder-rbac”) and then execute

policy save aserto-templates/peoplefinder-rbac:0.0.1

This produces a bundle.tar.gz file. To unpack it run

tar -xvf bundle.tar.gz

After unpacking the bundle.tar.gz file we can delete it. Now we can see the folder structure of the policy bundle.

If we make changes to the policy and want to have it updated on Aserto, we’ll need to build our image and push it back up to the repository so that our policy is updated in the authorizer.

Build your image

From within the same folder that includes the .manifest file, run the following command:

policy build . -t <your OPCR organization>/peoplefinder-rbac:0.0.1

Push your Image

To push your image to OPCR, execute the following:

policy push <your OPCR organization>/peoplefinder-rbac:0.0.1

Your image policy image will now be available in the OPCR registry.

Add a policy from OPCR to your tenant