---
layout: "docs"
page_title: "Sentinel in Consul"
sidebar_current: "docs-guides-sentinel"
description: |-
  Consul Enterprise uses Sentinel to augment the built-in ACL system to provide advanced policy enforcement. Sentinel policies can currently execute on KV modify and service registration.
---

# Sentinel Overview
[//]: # ( ~> The Sentinel functionality described here is available only in )
[//]: # (   [Consul Enterprise](https://www.hashicorp.com/products/consul/) version 1.0.0 and later. )

<%= enterprise_alert :consul %>

 Consul 1.0 adds integration with [Sentinel](https://hashicorp.com/sentinel) for policy enforcement.
 Sentinel policies help extend the ACL system in Consul beyond the static "read", "write", and "deny"
 policies to support full conditional logic, and integration with external systems.

## Sentinel in Consul

Sentinel policies are applied during writes to the KV Store.

ACL policy definitions take a `sentinel` field specifying the code and the enforcement level.

Here's an example:


```text
  sentinel {
      code = <<EOF
import "strings"
main = rule { strings.has_suffix(value,"foo") }
enforcementlevel = "soft-mandatory"
EOF
  }
```

This policy ensures that the value written during a KV update must end with "foo".

If the `enforcementlevel` property is not set, it defaults to "hard-mandatory".

## Imports

Consul imports all the [standard imports](https://docs.hashicorp.com/sentinel/imports/)
from Sentinel. All functions in these imports are available to be used in policies.

## Injected Variables

Consul passes some context as variables into Sentinel, which are available to use inside any policies you write.

#### Variables injected during KV store writes

| Variable Name |  Type    | Description |
| ------------- | -------- | ----------- |
| `key`         | `string` | Key being written |
| `value`       | `string` | Value being written |
| `flags`       | `uint64` | [Flags](/api/kv.html#flags) |


## Examples
The following are some examples of ACL policies with Sentinel rules.

### Any values stored under the key prefix "foo" must end with "bar"

```text
key "foo" {
    policy = "write"
    sentinel {
        code = <<EOF
import "strings"
main = rule { strings.has_suffix(value, "bar") }
EOF
    }
}
```

### The key "foo" can only be updated during business hours.

```text
key "foo" {
    policy = "write"
    sentinel {
        code = <<EOF
import "time"
main = rule { time.hour > 8 and time.hour < 17 }
EOF
    }
}
```