Vault Enterprise uses Sentinel to augment the built-in policy system to provide Role Governing Policies (RGPs) and Endpoint Governing Policies (EGPs) to enable complex, flexible policies across identities and endpoints.

Role Governing Policies (RGPs) are Sentinel policies that are tied to particular tokens, Identity entities, or Identity groups. They have access to a rich set of controls across various aspects of Vault. These are evaluated whenever a token they're attached to is used.

Endpoint Governing Policies (EGPs) are Sentinel policies that are tied to particular paths instead of tokens. They have access to as much request information as possible, but they can take effect even on unauthenticated paths, such as login paths.

The Vault integration with Sentinel is documented in depth in the Vault Enterprise documentation. Please read that page for full documentation. This page will only show basic examples.


Example: Endpoint policy that requires MFA authentication from a corporate network.

import "sockaddr"

# We expect logins to come only from our private IP range
cidrcheck = rule {
    sockaddr.is_contained(request.connection.remote_addr, "")

# Require Ping MFA validation to succeed
ping_valid = rule {

main = rule when request.path is "auth/ldap/login" {
    ping_valid and cidrcheck

Example: Endpoint policy that disallows tokens created before a certain time.

import "time"
import "strings"

main = rule when not strings.has_prefix(request.path, "auth/ldap/login") {
    time.load(token.creation_time).unix > time.load("2017-09-17T13:25:29Z").unix