• Infrastructure
    • terraform
    • packer
  • Networking
    • consul
  • Security
    • vault
    • boundary
  • Applications
    • nomad
    • waypoint
    • vagrant
  • HashiCorp Cloud Platform

    A fully managed platform to automate infrastructure on any cloud with HashiCorp products.

    • consul
    • terraform
    • vault
    • packerbeta
    Visit cloud.hashicorp.com
Sentinel
  • Intro
  • Docs
Download
    • v0.19.x (latest)
    • v0.18.x
    • v0.17.x
    • v0.16.x
    • v0.15.x
    • v0.14.x
    • v0.13.x
  • Release Notes
    • Overview
    • Policy as Code
    • Policy Language
    • Imports
    • Enforcement Levels
    • Overview
    • Override Files
    • Remote Sources
    • Overview
    • apply
    • fmt
    • test
    • Overview
    • Basics
    • Rules
    • Traces
    • Testing
    • Imports
    • Debugging
    • Overview
    • Modules
    • Plugins
    • Static Imports
    • Internals

    • Overview
    • Variables
    • Values
    • Lists
    • Maps
    • Rules
    • Imports
    • Parameters
    • Boolean Expressions
    • Arithmetic
    • Slices
    • Conditionals
    • Loops
    • Collection Operations
    • Functions
    • Scope
    • Undefined
    • Logging and Errors
    • Specification
    • Overview
    • append
    • delete
    • error
    • keys
    • length
    • print
    • range
    • values
    • Overview
    • base64
    • decimal
    • http
    • json
    • runtime
    • sockaddr
    • strings
    • time
    • types
    • units
    • version

  • Consul
  • Nomad
  • Terraform
  • Vault
Type '/' to Search

»Vault

Vault Enterprise uses Sentinel to augment the built-in policy system to provide Role Governing Policies (RGPs) and Endpoint Governing Policies (EGPs) to enable complex, flexible policies across identities and endpoints.

Role Governing Policies (RGPs) are Sentinel policies that are tied to particular tokens, Identity entities, or Identity groups. They have access to a rich set of controls across various aspects of Vault. These are evaluated whenever a token they're attached to is used.

Endpoint Governing Policies (EGPs) are Sentinel policies that are tied to particular paths instead of tokens. They have access to as much request information as possible, but they can take effect even on unauthenticated paths, such as login paths.

The Vault integration with Sentinel is documented in depth in the Vault Enterprise documentation. Please read that page for full documentation. This page will only show basic examples.

»Examples

Example: Endpoint policy that requires MFA authentication from a corporate network.

import "sockaddr"

# We expect logins to come only from our private IP range
cidrcheck = rule {
    sockaddr.is_contained(request.connection.remote_addr, "10.20.0.0/16")
}

# Require Ping MFA validation to succeed
ping_valid = rule {
    mfa.methods.ping.valid
}

main = rule when request.path is "auth/ldap/login" {
    ping_valid and cidrcheck
}

Example: Endpoint policy that disallows tokens created before a certain time.

import "time"
import "strings"

main = rule when not strings.has_prefix(request.path, "auth/ldap/login") {
    time.load(token.creation_time).unix > time.load("2017-09-17T13:25:29Z").unix
}
  • ProvisionMulti-Cloud Infrastructure
  • SecureMulti-Cloud Security
  • ConnectMulti-Cloud Networking
  • RunMulti-Cloud Orchestration
Products
  • Terraform
  • Vault
  • Consul
  • Nomad
  • Vagrant
  • Packer
  • Boundary NEW
  • Waypoint NEW
  • Sentinel
Resources
  • Blog
  • Tutorials
  • Community
  • Events
  • Integrations
  • Library
  • Partners
  • Podcast
  • Support
  • Training
Company
  • About Us
  • JobsWe're Hiring
  • Press Center
  • Brand
  • Contact Us
  • System Status
  • Cookie Manager
  • Terms of Use
  • Security
  • Privacy
  • Trademark Policy
stdin: is not a tty