search

Service Policies

Service policies control service-to-service (S2S) communication, defining which backend services can call which other services through Auth Guard.

hashtag
Why Service Policies?

Backend services in the Atlas ecosystem are deployed in a private network (VPC). They cannot communicate directly with each other. All inter-service communication must go through Auth Guard.

This architecture provides:

  • Centralized access control - One place to manage all S2S permissions

  • Audit trail - All S2S calls are logged

  • Security - Deny-by-default, explicit authorization required

  • Rate limiting - Prevent runaway service calls

┌─────────────────────────────────────────────────────────────────────────────┐
│                     SERVICE-TO-SERVICE ARCHITECTURE                          │
└─────────────────────────────────────────────────────────────────────────────┘

  ┌─────────────┐         ┌─────────────┐         ┌─────────────┐
  │  CLI-Eval   │         │  Auto-Rater │         │     LLM     │
  │   Service   │         │   Service   │         │   Service   │
  └──────┬──────┘         └──────▲──────┘         └──────▲──────┘
         │                       │                       │
         │ ❌ Direct call        │                       │
         │    NOT ALLOWED        │                       │
         │                       │                       │
         │ ✅ Via Auth Guard     │                       │
         │                       │                       │
         ▼                       │                       │
  ┌──────────────────────────────┴───────────────────────┴────────────────────┐
  │                            AUTH GUARD                                      │
  │                                                                            │
  │  ┌──────────────────────────────────────────────────────────────────────┐ │
  │  │                      POLICY ENGINE                                    │ │
  │  │                                                                       │ │
  │  │  1. Receive request with X-Atlas-API-Key                              │ │
  │  │  2. Validate API key, extract service account                         │ │
  │  │  3. Lookup policy: cli-eval → auto-rater                              │ │
  │  │  4. Check endpoint is in allowed_endpoints                            │ │
  │  │  5. Apply rate limiting                                               │ │
  │  │  6. ✅ Proxy request OR ❌ Deny with 403                               │ │
  │  │                                                                       │ │
  │  └──────────────────────────────────────────────────────────────────────┘ │
  └───────────────────────────────────────────────────────────────────────────┘

hashtag
Policy Structure

Each service policy defines a permission for one service to call another:

hashtag
Policy Fields

Field
Description
Example

service_account_email

The calling service's identity

[email protected]

target_service

The service being called

auto-rater

allowed_endpoints

Which endpoints can be called

["evaluate", "get-results"]

rate_limit

Max requests per minute

1000

quota_multiplier

Quota adjustment factor

1.0

description

Human-readable description

CLI-Eval can call Auto-Rater

enabled

Whether policy is active

true

hashtag
Example Policy

hashtag
How S2S Authentication Works

hashtag
Step 1: Service Gets API Key

Each service that needs to call other services must have an API key:

hashtag
Step 2: Service Makes Request

hashtag
Step 3: Auth Guard Validates

hashtag
Endpoint Patterns

The allowed_endpoints field supports different matching patterns:

hashtag
Exact Match

Request
Match?

/v1/auto-rater/evaluate

✅ Yes

/v1/auto-rater/get-results

✅ Yes

/v1/auto-rater/status

✅ Yes

/v1/auto-rater/delete

❌ No

/v1/auto-rater/evaluate/batch

❌ No

hashtag
Wildcard Match

Request
Match?

Any endpoint

✅ Yes

hashtag
Prefix Match

Request
Match?

/v1/service/batch/process

✅ Yes

/v1/service/batch/status

✅ Yes

/v1/service/admin/read-config

✅ Yes

/v1/service/admin/read-users

✅ Yes

/v1/service/admin/delete

❌ No

/v1/service/other

❌ No

hashtag
Common Policy Patterns

hashtag
Full Access

Allow service to call any endpoint:

hashtag
Read-Only Access

Allow only read operations:

hashtag
Specific Operations

Allow only certain operations:

hashtag
Batch Operations

Allow batch endpoints only:

hashtag
Admin Dashboard

Access policy management at: /admin/policies

hashtag
Policy List View

Column
Description

Caller

Service account email

Target

Target service name

Endpoints

Allowed endpoint patterns

Rate Limit

Requests per minute

Status

enabled/disabled

hashtag
Policy Actions

Action
Description

Create

Add new S2S policy

Edit

Modify policy configuration

Enable/Disable

Toggle policy

Delete

Remove policy

Reload Cache

Force policy cache refresh

hashtag
Setting Up S2S Communication

hashtag
Step-by-Step Guide

  1. Create API Key for Calling Service

  2. Note the Service Account

  3. Create Service Policy

  4. Configure Calling Service

  5. Test the Connection

hashtag
Best Practices

hashtag
Policy Design

Practice
Reason

Least privilege

Only allow needed endpoints

Specific patterns

Avoid * when possible

Document purpose

Clear descriptions

Regular audits

Review quarterly

hashtag
Security

Practice
Reason

Rotate API keys

Security hygiene

Monitor S2S calls

Detect anomalies

Disable unused

Reduce attack surface

Alert on failures

Catch misconfigurations

hashtag
Operations

Practice
Reason

Disable before delete

Safe testing

Test in dev first

Validate configuration

Use rate limits

Prevent runaway calls

Log everything

Audit trail

hashtag
Troubleshooting

hashtag
"403 Forbidden: No policy found"

Cause: No policy exists for the caller → target combination.

Solution:

  1. Verify service_account_email is exactly correct

  2. Verify target_service matches route name

  3. Create policy if missing

hashtag
"403 Forbidden: Endpoint not allowed"

Cause: Policy exists but endpoint isn't in allowed_endpoints.

Solution:

  1. Check exact endpoint being called

  2. Add endpoint to allowed_endpoints

  3. Use wildcard if appropriate

hashtag
"403 Forbidden: Policy disabled"

Cause: Policy exists but enabled: false.

Solution:

  1. Enable the policy in dashboard

  2. Or create new enabled policy

hashtag
"429 Too Many Requests"

Cause: Service exceeded rate limit.

Solution:

  1. Increase rate_limit in policy

  2. Implement backoff in calling service

  3. Optimize call patterns

hashtag
"Policy changes not taking effect"

Cause: Policy cache not refreshed.

Solution:

  1. Click "Reload Policies" in dashboard

  2. Wait 30 seconds for propagation

  3. Restart Auth Guard if urgent

PreviousService RoutesNextNotifications Admin

Last updated