Skip to main content

Authorization of Service Mesh through Envoy

Envoy-authz is a middleware of Envoy which performs external RBAC & ABAC authorization through casbin. This middleware uses Envoy's external authorization API through a gRPC server. This proxy would be deployed on any type of envoy-based service meshes like Istio.


  • Envoy 1.17+
  • Istio or any type of service mesh
  • grpc dependencies

Dependencies are managed through go.mod.

Working of Middleware

  • A client would make a http request.
  • Envoy proxy would send that request to grpc server.
  • The grpc server would then authorize the request based on casbin policies.
  • If authorized, the request would be sent through or else, it gets denied.

The grpc server is based on protocol buffer from external_auth.proto from Envoy.

// A generic interface for performing authorization check on incoming
// requests to a networked service.
service Authorization {
// Performs authorization check based on the attributes associated with the
// incoming request, and returns status `OK` or not `OK`.
rpc Check(v2.CheckRequest) returns (v2.CheckResponse);

From the above proto file, we have to use Check() service in the authorization server.


  • Define the Casbin policies under config files by following this guide.

You can verify/test your policies on online casbin-editor.

  • Start the authorizing server by running:-
$ go build .
$ ./authz
  • Load the envoy configuration:-
$  envoy -c authz.yaml -l info

Once the envoy starts, it will start intercepting requests for the authorization process.

Integrating to Istio

You need to send custom headers, which would contain usernames in the JWT token OF headers for this middleware to work. You can check the official Istio docs to get more info on modifying Request Headers.