This documentation is for the Envoy v3 API.

As of Envoy v1.18 the v2 API has been removed and is no longer supported.

If you are upgrading from v2 API config you may wish to view the v2 API documentation:

This extension may be referenced by the qualified name envoy.filters.http.rbac


This extension is intended to be robust against untrusted downstream traffic. It assumes that the upstream is trusted.


This extension extends and can be used with the following extension category:

Role-Based Access Control configuration overview.


[extensions.filters.http.rbac.v3.RBAC proto]

RBAC filter config.

  "rules": "{...}",
  "shadow_rules": "{...}",
  "shadow_rules_stat_prefix": "..."

(config.rbac.v3.RBAC) Specify the RBAC rules to be applied globally. If absent, no enforcing RBAC policy will be applied. If present and empty, DENY.


(config.rbac.v3.RBAC) Shadow rules are not enforced by the filter (i.e., returning a 403) but will emit stats and logs and can be used for rule testing. If absent, no shadow RBAC policy will be applied.


(string) If specified, shadow rules will emit stats with the given prefix. This is useful to distinguish the stat when there are more than 1 RBAC filter configured with shadow rules.


[extensions.filters.http.rbac.v3.RBACPerRoute proto]

  "rbac": "{...}"

(extensions.filters.http.rbac.v3.RBAC) Override the global configuration of the filter with this new config. If absent, the global RBAC policy will be disabled for this route.