Quick Start
This guide walks you through installing and configuring the OPA Backend plugin in your Backstage instance.
Prerequisites
- A running OPA server. See Deploying OPA for a guide on running OPA as a sidecar to Backstage, or the OPA deployment docs for other options.
Step 1 — Install the package
yarn --cwd packages/backend add @parsifal-m/plugin-opa-backend
Step 2 — Register the plugin
Add the plugin to packages/backend/src/index.ts:
import { createBackend } from '@backstage/backend-defaults';
const backend = createBackend();
// ... other plugins
backend.add(import('@parsifal-m/plugin-opa-backend'));
backend.start();
Step 3 — Configure app-config.yaml
Add the openPolicyAgent block to your app-config.yaml. Only enable the features you actually need.
openPolicyAgent:
# Base URL of your OPA server. Required for all routes that call OPA.
baseUrl: 'http://localhost:8181'
entityChecker:
# Set to true to enable the /api/opa/entity-checker route.
# Required by the opa-entity-checker frontend plugin.
enabled: true
# Entry point in your Rego policy that returns violation messages.
# Maps to: package entity_checker, rule violation
policyEntryPoint: 'entity_checker/violation'
policyViewer:
# Set to true to enable the /api/opa/get-policy route.
# Required by the opa-policies frontend plugin.
enabled: true
Note: The
/api/opa/opa-authzroute (used byopa-authz-react) is always mounted — noenabledflag is needed. All other routes are disabled by default.
Note:
policyEntryPointis required whenentityChecker.enabledistrue. If it is missing, the plugin will return a 500 error when the/api/opa/entity-checkerendpoint is called.
Step 4 — Verify
With your Backstage backend running, confirm the plugin is healthy:
curl http://localhost:7007/api/opa/health
# {"status":"ok"}
Next steps
- Reference — full config key and HTTP endpoint documentation
- OPA Entity Checker — set up entity validation
- OPA Authz React — add UI authorization
- OPA Policies — display Rego policies on entity pages