Best Place keep Kalix_policy.proto

We have multiple actions in our project, and one kalix_policy.proto file, no matter in which folder we keep our policy file, all the endpoints throw permission denied error

Technically it should not matter which proto directory you put it in as long as it is under your protobuf directory, usually the first parent directory shared by all services makes sense since it is easier to find it than if putting it in further down in a directory herarchy.

Is the permission error not what you expect with the default ACL from your kalix_proto? Can you share the ACL you have defined in it and on a service?

Thanks for the reply, we have multiple actions, but all of the actions return the same error

// This is the default Access Control List (ACL) for all components of this Kalix Service
syntax = “proto3”;

package domain;

import “kalix/annotations.proto”;

// Allow all other Kalix services deployed in the same project to access the components of this
// Kalix service, but disallow access from the internet. This can be overridden explicitly
// per component or method using annotations.
// Documentation at Redirect Notice
option (kalix.file).acl = {
allow: { service: “*” }

Note that allow: { service: "*" } means allow calls from any other Kalix service in the same Kalix project but not requests from the public internet. You should still be able to call services through the kalix service proxy though.

If you want to have a default policy that allow all calls that would be allow: { principal: ALL }