---
layout: guides
page_title: Sentinel - Guides
description: |-
  Vault Enterprise supports Sentinel to provide a rich set of access control
  functionality. This guide walks through the creation and usage of role
  governing policies (RGPs) and endpoint governing policies (EGPs).
---

# Sentinel Policies

~> **Enterprise Only:** Sentinel is a part of _Vault Enterprise Premium_.

_Sentinel_ is a language framework for policy build to be embedded in Vault
Enterprise to enable fine-grained, logic-based policy decisions which cannot be
fully handled by the ACL policies.

**Role Governing Policies (RGPs)** and **Endpoint Governing
Policies (EGPs)** can be defined using Sentinel:

- RGPs are tied to particular tokens, identity entities, or identity groups
- EGPs are tied to particular paths (e.g. `aws/creds/`)

> This guide walks you through the authoring of Sentinel policies in Vault. For
> ACL policy authoring, refer to the [Policies](/guides/identity/policies)
> guide.

## Reference Material

- [Sentinel Getting Started Guide](https://docs.hashicorp.com/sentinel/intro/getting-started/first-policy)
- [Sentinel](https://docs.hashicorp.com/sentinel/) documentation
- [Vault Sentinel](/docs/enterprise/sentinel) documentation
- [Security and Fundamentals at Scale with Vault](https://www.youtube.com/watch?time_continue=121&v=yiPbKICFkvQ)
- [Identity - Entities and Groups](/guides/identity/identity) guide

## Estimated Time to Complete

5 - 10 minutes

## Challenge

ACL policies are **_path-based_** that it has the following challenges:

- Cannot grant permissions based on logics other than paths
- Paths are merged in ACL policies which could potentially cause a conflict as
  the number of policies grows

What if the policy requirement was to grant read permission on `secret/orders`
path **_only if_** the request came from an IP address within a certain CIDR?

## Solution

Use Sentinel policies (RGPs and/or EGPs) to fulfill more complex policy
requirements.

Sentinel can access properties of the incoming requests and make a decision
based on a certain set of conditions. Available properties include:

- **request** - Information about the request itself (path, operation type,
  parameters, etc.)
- **token** - Information about the token being used (creation time, attached
  policies, etc.)
- **identity** - Identity entities and all related data
- **mfa** - Information about successful MFA validations

## Prerequisites

To perform the tasks described in this guide, you need to have a **_Vault
Enterprise_** environment.

### Policy requirements

Since this guide demonstrates the creation of policies, log in with highly
privileged token such as **`root`**. Required permissions are:

```shell
# To list policies
path "sys/policies/*"
{
  capabilities = ["list"]
}

# Create and manage EGPs
path "sys/policies/egp/*"
{
  capabilities = ["create", "read", "update", "delete", "list"]
}
```

## Steps

This guide demonstrates basic Sentinel policy authoring and management tasks.

1. [Write Sentinel Policies](#step1)
1. [Test the Sentinel Policies](#step2)
1. [Deploy your EGP policies](#step3)
1. [Delete Sentinel Policies](#step4)

### Step 1: Write Sentinel Policies ((#step1))

#### Anatomy of Sentinel Policies

```hcl
import "<library>"

<variable> = <value>

main = rule {
     <conditions_to_evaluate>
}
```

- **`import`** - Enables your policy to access reusable libraries. There are a
  set of built-in [imports](https://docs.hashicorp.com/sentinel/imports/)
  available to help define your policy rules.

- **`main`** (required) - Every Sentinel policy must have a **`main`** rule
  which is evaluated to determine the result of a policy.

- **`rule`** - A first-class construct in Sentinel. It describes a set of
  conditions resulting in either true or false. (NOTE: Refer to the [Boolean
  Expressions](https://docs.hashicorp.com/sentinel/language/boolexpr) for the full
  list of available operators in writing rules.)

- **`<variable>`** - Variables are dynamically typed in Sentinel. You can define
  its value explicitly or implicitly by the host system or [function](https://docs.hashicorp.com/sentinel/language/functions).

~> **NOTE:** The Sentinel language supports many features such as functions,
loops, slices, etc. You can learn about all of this in the [complete language
guide](https://docs.hashicorp.com/sentinel/language/).

#### Policy requirements

In this guide, you are going to write Sentinel policies that fulfill the
following requirements:

1. Any incoming request against the "`secret/accounting/*`" to be performed
   during the business hours (7:00 am to 6:00 pm during the work days).

1. Any `create`, `update` and `delete` operations against Key/Value secret
   engine (mounted at "`secret`") **must** come from an internal IP of
   `122.22.3.4/32` CIDR.

#### Sentinel Policies

Requirement #1: **`business-hrs.sentinel`**

```shell
import "time"

# Expect requests to only happen during work days (Monday through Friday)
# 0 for Sunday and 6 for Saturday
workdays = rule {
    time.now.weekday > 0 and time.now.weekday < 6
}

# Expect requests to only happen during work hours (7:00 am - 6:00 pm)
workhours = rule {
    time.now.hour > 7 and time.now.hour < 18
}

main = rule {
    workdays and workhours
}
```

Requirement #2: **`cidr-check.sentinel`**

```shell
import "sockaddr"
import "strings"

# Only care about create, update, and delete operations against secret path
precond = rule {
    request.operation in ["create", "update", "delete"] and
    strings.has_prefix(request.path, "secret/")
}

# Requests to come only from our private IP range
cidrcheck = rule {
    sockaddr.is_contained(request.connection.remote_addr, "122.22.3.4/32")
}

# Check the precondition before execute the cidrcheck
main = rule when precond {
    cidrcheck
}
```

> **NOTE:** The **`main`** has conditional rule (`when precond`) to ensure that
> the rule gets evaluated only if the request is relevant.

~> Refer to the [Sentinel Properties](/docs/enterprise/sentinel/properties)
documentation for available properties which Vault injects to Sentinel to allow
fine-grained controls.

### Step 2: Test the Sentinel Policies ((#step2))

You can test the Sentinel policies prior to deployment in orders to validate
syntax and to document expected behavior.

1.  First, you need to download the [Sentinel simulator](https://docs.hashicorp.com/sentinel/downloads).

    **Example:**

    ```plaintext
    $ wget https://releases.hashicorp.com/sentinel/0.3.1/sentinel_0.3.1_darwin_amd64.zip
    $ unzip sentinel_0.3.1_darwin_amd64.zip -d /usr/local/bin
    ```

1.  Create a sub-folder named, **`test`** where `cidr-check.sentinel` and
    `business-hrs.sentinel` policies are located. Under the `test` folder, you want
    to create a sub-folder for each policy: **`cidr-check`** and **`business-hrs`**.

    ```plaintext
    $ mkdir -p test/business-hrs
    $ mkdir -p test/cidr-check
    ```

    > **NOTE:** The test should be created under `/test/<policy_name>` folder.

1.  Write a passing test case in a file named, **`success.json`** under
    `test/business-hrs` directory.

    ```plaintext
    {
        "global": {
            "timespace": {
                "weekday": 1,
                "hour": 12
            }
        }
    }
    ```

    Under **`global`**, you specify the mock test data. In this example, the
    `weekday` is set to `1` which is **`Monday`** and `hour` is set to `12`
    which is **`noon`**. Therefore, the `main` should return `true`.

1.  Write a failing test in a file named, **`fail.json`** under `test/business-hrs`.

    ```plaintext
    {
        "global": {
            "timespace": {
                "weekday": 0,
                "hour": 12
            }
        }
    }
    ```

    The mock data is set to **`Sunday`** at **`noon`**; therefore, Therefore, the `main` should return `false`.

1.  Similarly, write a passing test case for `cidr-check` policy, **`test/cidr-check/success.json`**:

    ```plaintext
    {
      "global": {
        "request": {
          "connection": {
              "remote_addr": "122.22.3.4"
          },
          "operation": "create",
          "path": "secret/orders"
        }
      }
    ```

    In this example, the `global` specifies the `create` operation is invoked on
    `secret/orders` endpoint which initiated from an IP address `122.22.3.4`.
    Therefore, the `main` should return `true`.

1.  Write a failing test for `cidr-check` policy, **`test/cidr-check/fail.json`**.

    ```plaintext
    {
      "global": {
        "request": {
          "connection": {
            "remote_addr": "122.22.3.10"
          },
          "operation": "create",
          "path": "secret/orders"
        }
      },
      "test": {
        "precond": true,
        "main": false
      }
    }
    ```

    This test will fail because of the IP address mismatch. However, the
    `precond` should pass since the requested operation is `create` and the
    targeted endpoint is `secret/orders`.

    > The optional **`test`** definition adds more context to why the test
    > should fail. The expected behavior is that the test fails because `main`
    > returns `false` but `precond` should return `true`.

1.  Now, you have written both success and failure tests:

    ```plaintext
    ├── business-hrs.sentinel
    ├── cidr-check.sentinel
    └── test
        ├── business-hrs
        │   ├── fail.json
        │   └── success.json
        └── cidr-check
            ├── fail.json
            └── success.json
    ```

1.  Execute the test:

    ```plaintext
    $ sentinel test

    PASS - business-hrs.sentinel
      PASS - test/business-hrs/success.json  PASS - test/business-hrs/fail.json
    PASS - cidr-check.sentinel
      PASS - test/cidr-check/success.json  PASS - test/cidr-check/fail.json
    ```

    > **NOTE:** If you want to see the tracing and log output for those tests,
    > run the command with `-verbose` flag.

### Step 3: Deploy your EGP policies ((#step3))

Sentinel policies has three **enforcement levels**:

| Level          | Description                                                                |
| -------------- | -------------------------------------------------------------------------- |
| advisory       | The policy is allowed to fail. Can be used as a tool to educate new users. |
| soft-mandatory | The policy must pass unless an override is specified.                      |
| hard-mandatory | The policy must pass no matter what!                                       |

Since both policies are tied to specific paths, the policy type that you are
going to create is Endpoint Governing Policies (EGPs).

#### CLI command

1.  Store the Base64 encoded `cidr-check.sentinel` policy in an environment
    variable named `POLICY`.

    ```plaintext
    $ POLICY=$(base64 cidr-check.sentinel)
    ```

1.  Create a policy `cidr-check` with enforcement level of **hard-mandatory** to
    reject all requests coming from IP addressed that are not internal.

    ```plaintext
    $ vault write sys/policies/egp/cidr-check \
            policy="${POLICY}" \
            paths="secret/*" \
            enforcement_level="hard-mandatory"
    ```

1.  You can read the policy by executing the following command:

    ```plaintext
    $ vault read sys/policies/egp/cidr-check
    ```

1.  Repeat the steps to create a policy named `business-hrs`.

    ```shell
    # Encode the business-hrs policy
    $ POLICY2=$(base64 business-hrs.sentinel)

    # Create a policy with soft-mandatory enforcement-level
    $ vault write sys/policies/egp/business-hrs \
            policy="${POLICY2}" \
            paths="secret/accounting/*" \
            enforcement_level="soft-mandatory"

    # To read the policy you just created
    $ vault read sys/policies/egp/business-hrs
    ```

#### API call using cURL

To create EGP policies, use the `/sys/policies/egp` endpoint:

```shell-session
$ curl --header "X-Vault-Token: <TOKEN>" \
       --request PUT \
       --data <PAYLOAD> \
       <VAULT_ADDRESS>/v1/sys/policies/egp/<POLICY_NAME>
```

Where `<TOKEN>` is your valid token, and `<PAYLOAD>` includes the Base64 encoded
policy, endpoint paths, and enforcement level.

1.  Store the Base64 encoded `cidr-check.sentinel` policy in an environment
    variable named `POLICY`.

    ```plaintext
    $ POLICY=$(base64 cidr-check.sentinel)
    ```

1.  Create API request payload.

    ```plaintext
    $ tee cidr-payload.json <<EOF
    {
      "policy": "${POLICY}",
      "paths": ["secret/*"],
      "enforcement_level": "hard-mandatory"
    }
    EOF
    ```

1.  Create a policy `cidr-check` with enforcement level of **hard-mandatory** to
    reject all requests coming from IP addressed that are not internal.

    ```plaintext
    $ curl --header "X-Vault-Token: ..." \
            --request PUT \
            --data @cidr-payload.json \
            http://127.0.0.1:8200/v1/sys/policies/egp/cidr-check
    ```

1.  Repeat the steps to create a policy named `business-hrs` with enforcement
    level of soft-mandatory.

    ```shell
    # Encode the business-hrs policy
    $ POLICY2=$(base64 business-hrs.sentinel)

    # Create the request payload
    $ tee buz-hrs-payload.json <<EOF
    {
      "policy": "${POLICY2}",
      "paths": ["secret/accounting/*"],
      "enforcement_level": "soft-mandatory"
    }
    EOF

    $ curl --header "X-Vault-Token: ..." \
            --request PUT \
            --data @buz-hrs-payload.json \
            http://127.0.0.1:8200/v1/sys/policies/egp/business-hrs
    ```

1.  You can list the EGPs that were created.

    ```plaintext
    $ curl --header "X-Vault-Token: ..." \
           --request LIST \
           http://127.0.0.1:8200/v1/sys/policies/egp | jq
    ```

#### Web UI

Open a web browser and launch the Vault UI (e.g. http://127.0.0.1:8200/ui) and
then login.

1. Select **Policies** and select the **Endpoint Governing Policies** tab.

1. Select **Create EGP policy**.

1. Enter **`business-hrs`** in the **Name** field.

1. Enter the [**`business-hrs.sentinel`** policy](#sentinel-policies-1) in the
   **Policy** editor.

1. Select **soft-mandatory** from the **Enforcement level** drop-down list.

1. Enter **`secret/accounting/*`** in the **Paths** field, and then click
   **Create Policy**.

![EGP](/img/vault-sentinel-1.png)

1. Select **Endpoint Governing Policies** again, and then **Create EGP policy**.

1. Enter **`cidr-check`** in the **Name** field.

1. Enter the [**`cidr-check.sentinel`** policy](#sentinel-policies-1) in the
   **Policy** editor.

1. Leave the **Enforcement level** as hard-mandatory, and enter **`secret/*`**
   in the **Paths** field.

1. Click **Create Policy**.

~> **NOTE:** Unlike ACL policies, EGPs are a _prefix walk_ which allows policies
to be applied at various points at Vault API. If you have EGPs tied to
"**`secret/orders`**", "**`secret/*`**" and "**`*`**", all EGPs will be
evaluated for a request on "**`secret/orders`**".

#### Verification

Once the policies were deployed, `create`, `update` and `delete` operations
coming from an IP address other than `122.22.3.4` will be denied.

```shell-session
$ vault kv put secret/accounting/test acct_no="293472309423"

Error writing data to secret/accounting/test: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/secret/accounting/test
Code: 400. Errors:

* 1 error occurred:

* egp standard policy "cidr-check" evaluation resulted in denial.

The specific error was:
<nil>

A trace of the execution for policy "cidr-check" is available:

Result: false

Description: Check the precondition before execute the cidrcheck

Rule "main" (byte offset 442) = false
  false (offset 314): sockaddr.is_contained

Rule "cidrcheck" (byte offset 291) = false

Rule "precond" (byte offset 113) = true
  true (offset 134): request.operation in ["create", "update", "delete"]
  true (offset 194): strings.has_prefix
```

Similarly, you will get an error if any request is made outside of the business
hours defined by the `business-hrs` policy.

!> **NOTE:** Like with ACL policies, **`root`** tokens are **_NOT_** subject to
Sentinel policy checks.

### Step 4: Delete Sentinel Policies ((#step4))

#### CLI Command

To delete EGPs:

```shell
# Delete the business-hrs EGP
$ vault delete sys/policies/egp/business-hrs

# Delete the cidr-check EGP
$ vault delete sys/policies/egp/cidr-check
```

#### API call using cURL

To delete EGPs:

```shell
# Delete the business-hrs EGP
$ curl --header "X-Vault-Token: ..." \
       --request DELETE \
       http://127.0.0.1:8200/v1/sys/policies/egp/business-hrs

# Delete the cidr-check EGP
$ curl --header "X-Vault-Token: ..." \
      --request DELETE \
      http://127.0.0.1:8200/v1/sys/policies/egp/cidr-check
```

#### Web UI

1. Select **Policies** and select the **Endpoint Governing Policies** tab.

1. Select **Delete** from the policy menu for `business-hrs`.

   ![Delete EGP](/img/vault-sentinel-2.png)

1. When prompted, click **Delete** again to confirm.

1. Repeat the steps to delete `cidr-check` policy.

## Next steps

Refer to the [Sentinel Properties](/docs/enterprise/sentinel/properties)
documentation for the full list of properties available in Vault to write
fine-grained policies to meet your organizational policy requirements.