Consul Enterprise uses Sentinel to augment the built-in ACL system to provide advanced policy enforcement. Sentinel policies can currently execute on KV modify and service registration.

Sentinel policies have access to the key/value being written or information about the service being registered. This can be used to allow or deny the modification. The information that Sentinel policies have access to will expand over time.

The Consul integration with Sentinel is documented in depth in the Consul Enterprise documentation. Please read that page for full documentation. This page will only show basic examples.


Example: Input validation depending on the name of the key.

main = rule { valid_key() }

required = [
  ["port", "\\d+"], # ports must be integers
  ["name", "\\w+"], # name must be a word

valid_key = func() {
  for required as v {
    if key is v[0] {
      return value matches v[1]

  return false