Service Policies
Service policies control service-to-service (S2S) communication, defining which backend services can call which other services through Auth Guard.
Why Service Policies?
Backend services in the Atlas ecosystem are deployed in a private network (VPC). They cannot communicate directly with each other. All inter-service communication must go through Auth Guard.
This architecture provides:
Centralized access control - One place to manage all S2S permissions
Audit trail - All S2S calls are logged
Security - Deny-by-default, explicit authorization required
Rate limiting - Prevent runaway service calls
┌─────────────────────────────────────────────────────────────────────────────┐
│ SERVICE-TO-SERVICE ARCHITECTURE │
└─────────────────────────────────────────────────────────────────────────────┘
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ CLI-Eval │ │ Auto-Rater │ │ LLM │
│ Service │ │ Service │ │ Service │
└──────┬──────┘ └──────▲──────┘ └──────▲──────┘
│ │ │
│ ❌ Direct call │ │
│ NOT ALLOWED │ │
│ │ │
│ ✅ Via Auth Guard │ │
│ │ │
▼ │ │
┌──────────────────────────────┴───────────────────────┴────────────────────┐
│ AUTH GUARD │
│ │
│ ┌──────────────────────────────────────────────────────────────────────┐ │
│ │ POLICY ENGINE │ │
│ │ │ │
│ │ 1. Receive request with X-Atlas-API-Key │ │
│ │ 2. Validate API key, extract service account │ │
│ │ 3. Lookup policy: cli-eval → auto-rater │ │
│ │ 4. Check endpoint is in allowed_endpoints │ │
│ │ 5. Apply rate limiting │ │
│ │ 6. ✅ Proxy request OR ❌ Deny with 403 │ │
│ │ │ │
│ └──────────────────────────────────────────────────────────────────────┘ │
└───────────────────────────────────────────────────────────────────────────┘Policy Structure
Each service policy defines a permission for one service to call another:
Policy Fields
target_service
The service being called
auto-rater
allowed_endpoints
Which endpoints can be called
["evaluate", "get-results"]
rate_limit
Max requests per minute
1000
quota_multiplier
Quota adjustment factor
1.0
description
Human-readable description
CLI-Eval can call Auto-Rater
enabled
Whether policy is active
true
Example Policy
How S2S Authentication Works
Step 1: Service Gets API Key
Each service that needs to call other services must have an API key:
Step 2: Service Makes Request
Step 3: Auth Guard Validates
Endpoint Patterns
The allowed_endpoints field supports different matching patterns:
Exact Match
/v1/auto-rater/evaluate
✅ Yes
/v1/auto-rater/get-results
✅ Yes
/v1/auto-rater/status
✅ Yes
/v1/auto-rater/delete
❌ No
/v1/auto-rater/evaluate/batch
❌ No
Wildcard Match
Any endpoint
✅ Yes
Prefix Match
/v1/service/batch/process
✅ Yes
/v1/service/batch/status
✅ Yes
/v1/service/admin/read-config
✅ Yes
/v1/service/admin/read-users
✅ Yes
/v1/service/admin/delete
❌ No
/v1/service/other
❌ No
Common Policy Patterns
Full Access
Allow service to call any endpoint:
Read-Only Access
Allow only read operations:
Specific Operations
Allow only certain operations:
Batch Operations
Allow batch endpoints only:
Admin Dashboard
Access policy management at: /admin/policies
Policy List View
Caller
Service account email
Target
Target service name
Endpoints
Allowed endpoint patterns
Rate Limit
Requests per minute
Status
enabled/disabled
Policy Actions
Create
Add new S2S policy
Edit
Modify policy configuration
Enable/Disable
Toggle policy
Delete
Remove policy
Reload Cache
Force policy cache refresh
Setting Up S2S Communication
Step-by-Step Guide
Create API Key for Calling Service
Note the Service Account
Create Service Policy
Configure Calling Service
Test the Connection
Best Practices
Policy Design
Least privilege
Only allow needed endpoints
Specific patterns
Avoid * when possible
Document purpose
Clear descriptions
Regular audits
Review quarterly
Security
Rotate API keys
Security hygiene
Monitor S2S calls
Detect anomalies
Disable unused
Reduce attack surface
Alert on failures
Catch misconfigurations
Operations
Disable before delete
Safe testing
Test in dev first
Validate configuration
Use rate limits
Prevent runaway calls
Log everything
Audit trail
Troubleshooting
"403 Forbidden: No policy found"
Cause: No policy exists for the caller → target combination.
Solution:
Verify
service_account_emailis exactly correctVerify
target_servicematches route nameCreate policy if missing
"403 Forbidden: Endpoint not allowed"
Cause: Policy exists but endpoint isn't in allowed_endpoints.
Solution:
Check exact endpoint being called
Add endpoint to
allowed_endpointsUse wildcard if appropriate
"403 Forbidden: Policy disabled"
Cause: Policy exists but enabled: false.
Solution:
Enable the policy in dashboard
Or create new enabled policy
"429 Too Many Requests"
Cause: Service exceeded rate limit.
Solution:
Increase
rate_limitin policyImplement backoff in calling service
Optimize call patterns
"Policy changes not taking effect"
Cause: Policy cache not refreshed.
Solution:
Click "Reload Policies" in dashboard
Wait 30 seconds for propagation
Restart Auth Guard if urgent
Last updated