A new platform for documentation and tutorials is launching soon.

We are migrating Hashicorp documentation into HashiCorp Developer, our new developer experience.

Join Now
Type '/' to Search

»Vault

Vault Enterprise uses Sentinel to augment the built-in policy system to provide Role Governing Policies (RGPs) and Endpoint Governing Policies (EGPs) to enable complex, flexible policies across identities and endpoints.

Role Governing Policies (RGPs) are Sentinel policies that are tied to particular tokens, Identity entities, or Identity groups. They have access to a rich set of controls across various aspects of Vault. These are evaluated whenever a token they're attached to is used.

Endpoint Governing Policies (EGPs) are Sentinel policies that are tied to particular paths instead of tokens. They have access to as much request information as possible, but they can take effect even on unauthenticated paths, such as login paths.

The Vault integration with Sentinel is documented in depth in the Vault Enterprise documentation. Please read that page for full documentation. This page will only show basic examples.

»Examples

Example: Endpoint policy that requires MFA authentication from a corporate network.

import "sockaddr"

# We expect logins to come only from our private IP range
cidrcheck = rule {
    sockaddr.is_contained(request.connection.remote_addr, "10.20.0.0/16")
}

# Require Ping MFA validation to succeed
ping_valid = rule {
    mfa.methods.ping.valid
}

main = rule when request.path is "auth/ldap/login" {
    ping_valid and cidrcheck
}

import "sockaddr"

# We expect logins to come only from our private IP range
cidrcheck = rule {
    sockaddr.is_contained(request.connection.remote_addr, "10.20.0.0/16")
}

# Require Ping MFA validation to succeed
ping_valid = rule {
    mfa.methods.ping.valid
}

main = rule when request.path is "auth/ldap/login" {
    ping_valid and cidrcheck
}

Example: Endpoint policy that disallows tokens created before a certain time.

import "time"
import "strings"

main = rule when not strings.has_prefix(request.path, "auth/ldap/login") {
    time.load(token.creation_time).unix > time.load("2017-09-17T13:25:29Z").unix
}

import "time"
import "strings"

main = rule when not strings.has_prefix(request.path, "auth/ldap/login") {
    time.load(token.creation_time).unix > time.load("2017-09-17T13:25:29Z").unix
}