Enforce access control with Sentinel policies
Enterprise Only
Sentinel requires Vault Enterprise license or an HCP Vault Plus tier cluster.
Challenge
ACL policies are path-based and present the following challenges:
- Cannot grant permissions based on logic other than paths
- Paths are merged in ACL policies which could potentially cause a conflict as the number of policies grows
What if the policy requirement was to grant read permission on secret/orders
path only if the request came from an IP address within a certain CIDR?
Solution
Use Sentinel Role Governing Policies (RGPs) and Endpoint Governing Policies (EGPs) to fulfill more complex policy requirements.
Sentinel can access properties of the incoming requests and make a decision based on a certain set of conditions. Available properties include:
- request - Information about the request itself (path, operation type, parameters, etc.)
- token - Information about the token being used (creation time, attached policies, etc.)
- identity - Identity entities and all related data
- mfa - Information about successful MFA validations
Sentinel is a language framework for policies built to be embedded in Vault Enterprise to enable fine-grained, logic-based policy decisions which cannot be fully handled by the ACL policies.
EGPs and RGPs can be defined using Sentinel:
- EGPs are tied to particular paths (e.g.
aws/creds/
) - RGPs are tied to particular tokens, identity entities, or identity groups
Note
This tutorial walks you through the authoring of Endpoint Governing Policies (EGPs) and Role Governing Policies (RGPs). For ACL policy authoring, refer to the Policies tutorial.
Personas
Sentinel policies provide a declarative way to grant or forbid access to certain paths and operations in Vault. Therefore, the steps described in this tutorial are performed by Vault admins or security operations.
Prerequisites
To perform the tasks described in this tutorial, you need to have:
- Vault Enterprise binary and license key or HCP Vault Dedicated Plus tier cluster available.
- jq binary installed in your system PATH.
- Git binary installed in your system PATH.
Policy requirements
Since this tutorial demonstrates the creation of policies, log in with highly
privileged token such as root
.
The specific required policy capabilities are as follows.
Lab setup
Note
If you do not have access to an HCP Vault Dedicated cluster, visit the Create a Vault Cluster on HCP tutorial.
Launch the HCP Portal and login.
Click Vault in the left navigation pane.
In the Vault clusters pane, click vault-cluster.
Under Cluster URLs, click Public Cluster URL.
In a terminal, set the
VAULT_ADDR
environment variable to the copied address.Return to the Overview page and click Generate token.
Within a few moments, a new token will be generated.
Copy the Admin Token.
Return to the terminal and set the
VAULT_TOKEN
environment variable.Set the
VAULT_NAMESPACE
environment variable toadmin
.Type
vault status
to verify your connectivity to the Vault cluster.Enable the KV secrets engine setting the path to
secret
.
The Vault Dedicated server is ready.
Write Sentinel policies
Anatomy of a Sentinel policy
import
- Enables your policy to access reusable libraries. There are a set of built-in imports available to help define your policy rules.main
(required) - Every Sentinel policy must have amain
rule which is evaluated to determine the result of a policy.rule
- A first-class construct in Sentinel. It describes a set of conditions resulting in either true or false. Refer to the Boolean Expressions for the full list of available operators in writing rules.<variable>
- Variables are dynamically typed in Sentinel. You can define its value explicitly or implicitly by the host system or function.
Note
The Sentinel language supports many features such as functions, loops, slices, etc. You can learn about all of this in the Sentinel Language documentation.
Endpoint governing policies (EGPs)
Write endpoint governing policies (EGPs) that fulfill the following requirements:
Any incoming request against the "
kv-v2/*
" to be performed during the business hours (7:00 am to 6:00 pm during the work days).business-hrs.sentinelAny
create
,update
anddelete
operations against Key/Value secret engine (mounted at "secret
") must come from an internal IP of122.22.3.4/32
CIDR.The
main
has conditional rule (when precond
) to ensure that the rule gets evaluated only if the request is relevant.cidr-check.sentinel
Note
Refer to the Sentinel Properties documentation for available properties which Vault injects to Sentinel to allow fine-grained controls.
Simulate Sentinel policies
You can test the Sentinel policies prior to deployment in order to validate syntax and to document expected behavior.
Download the Sentinel simulator for your platform.
Example for MacOS:
Unzip the downloaded file.
Write the test cases
Note
You can follow the instructions to write the test files, or
clone the
learn-vault-sentinel
repository which includes the test files.
Change the working directory to where the policy is located.
Create a sub-folder named
test
wherecidr-check.sentinel
andbusiness-hrs.sentinel
policies are located.Under the
test
folder, create a sub-folder forcidr-check
.Create a sub-folder for
business-hrs
under thetest
directory.Note
The test should be created under
/test/<policy_name>
folder.Write a passing test case in a file named
success.json
undertest/business-hrs
directory.test/business-hrs/success.jsonUnder
mock
, you specify the mock test data. In this example, theweekday
is set to1
which isMonday
andhour
is set to12
which isnoon
. Therefore themain
should returntrue
.Write a failing test in a file named
fail.json
undertest/business-hrs
.test/business-hrs/fail.jsonThe mock data is set to
Sunday
atnoon
; therefore Therefore, themain
should returnfalse
.Similarly, write a passing test case for
cidr-check
policy,test/cidr-check/success.json
.test/cidr-check/success.jsonIn this example, the
global
specifies thecreate
operation is invoked onsecret/orders
endpoint which initiated from an IP address122.22.3.4
. Therefore themain
should returntrue
.Write a failing test for
cidr-check
policy,test/cidr-check/fail.json
.test/cidr-check/fail.jsonThis test will fail because of the IP address mismatch. However, the
precond
should pass since the requested operation iscreate
and the targeted endpoint issecret/orders
.The optional
test
definition adds more context to why the test should fail. The expected behavior is that the test fails becausemain
returnsfalse
butprecond
should returntrue
.Now, you have written both success and failure tests.
Execute the test.
Successful output:
Note
If you want to see the tracing and log output for those tests, run the command with
-verbose
flag.
Deploy EGP policies
Sentinel policies have three enforcement levels:
Level | Description |
---|---|
advisory | The policy is allowed to fail. Can be used as a tool to educate new users. |
soft-mandatory | The policy must pass unless an override is specified. |
hard-mandatory | The policy must pass. |
Since both policies are tied to specific paths, the policy type that you are going to create is Endpoint Governing Policies (EGPs).
Store the Base64 encoded
cidr-check.sentinel
policy in an environment variable namedPOLICY
.Create a policy
cidr-check
with enforcement level of hard-mandatory to reject all requests coming from IP addressed that are not internal.You can read the policy by executing the following command:
Successful output:
Repeat the steps to create a policy named
business-hrs
. First, encode thebusiness-hrs
policy.Create a policy with soft-mandatory enforcement-level.
To read the policy you just created, execute the following command.
Successful output:
Verification
Note
As with ACL policies, root
tokens are NOT subject to Sentinel policy
checks. Therefore, use a non-root token for verification test. For HCP Vault Dedicated,
the admin
token is subjet to Sentinel policy checks.
Create a
tester
policy which allows to operates on thesecret/*
path.Create a token with the tester policy attached, and store the token in a
TEST_TOKEN
environment variable.Example output:
Test the
cidr-check
EGP by sending request from an IP address other than122.22.3.4
will be denied.Expected failure output:
Similarly, you will get an error if any request is made outside of the business
hours defined by the business-hrs
policy. However, the enforcement level set
on the business-hrs
policy is soft-mandatory, so it can be overridden.
Enable KV v2 secrets engine at
kv-v2
.Send some test data.
If the current time is outside of the business hours checked by the
business-hrs
policy, the request fails.Example output:
Run the command again using the policy override flag (
-policy-override
).Because the policy enforcement level is set to soft-mandatory, the request completes successfully.
Tip
If you are connecting with Vault through API, set
X-Vault-Policy-Override: true
in the request header.
Role governing policies (RGPs)
RGPs are tied to client tokens or identities which is similar to ACL policies. Vault server evaluates the RGP attached to the token to determine whether to accept or reject the request.
Scenario introduction
To demonstrate the use of RGP, you are going to create the following:
- Create ACL policies:
secrets
andadmin
, andsysops
- Enable a userpass auth method at
userpass-test/
and create a userjames
andbob
- Create an entity named
James Thomas
- Create an entity named
Bob Smith
- Create a RGP policy named
test-rgp
- Create a group named
sysops
withJames Thomas
andBob Smith
entities as its members - Attach
sysops
andtest-rgp
policies to the group
The sysops
group has the sysops
policy attached which grants permission to
manage all policies. All group members inherit the group-level policies. (If
you are not familiar with Vault Identities, refer to the Identity: Entities and
Groups tutorial.)
Use the role governing policy to restrict access to the admin
policy such that
James or a user with the Team Lead
role can manage the admin
policy. Other group
members can manage all other policies but not the admin
policy.
Create the demo resources
Prerequisite
You are going to run a script which uses jq
to parse JSON
outputs. Install jq if you don't have it.
Clone the
learn-vault-sentinel
repository.Change the working directory to
learn-vault-sentinel
.Make sure that the
identity-setup.sh
file is executable.1 2 3 4 5 6 7 8 9 101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960
Notice that the
test-rgp
RGP policy is attached to thesysops
group (line 58).Run the
identity-setup.sh
script.
Review the created identities and policies
Examine the
test-rgp
policy.Output:
The
precond
checks the incoming request endpoint. If the request is targeted tosys/policies/acl/admin
, Vault checks to see if the request was made by an entity named, James Thomas or has Team Lead role defined as its metadata. Refer to the Entity Properties documentation for the list of available properties.Review the James Thomas entity details. The entity ID is stored in the
entity_id_james.txt
file by the script.Example output:
James Thomas entity has Team Lead role defined in its metadata.
Review the Bob Smith entity details. The entity ID is stored in
entity_id_bob.txt
.Example output:
Bob's functional role is Kubernetes expert.
Verification
Login as
james
and store the generated token injames_token.txt
Read the
admin
policy.The command successfully returns the policy.
Login as
bob
and store the generated token inbob_token.txt
Try to read the
admin
policy.Output:
Neither the Bob's entity metadata or the name matched that the main rule returned false. Therefore, the request was denied.
Read the token details.
The token details shows
admin
,sysops
andtest-rgp
policies listed asidentity_policies
. Although thesysops
policy permits access to thesys/*
path, thetest-rgp
does not permit to read theadmin
policy unless the entity's name is "James Thomas" or has "Team Lead" defined in the entity metadata.To verify, read the
sysops
policy with Bob's token.Bob can access other policies.
Challenge question
What can you do to allow Bob Smith to access the admin
policy?
One of the solutions is to change Bob's entity metadata to contain Team Lead
.
Another possible solution is to update the test-rgp
policy to check for Bob
Smith
entity name.
Now, Bob should be able to read the admin
policy.
Clean up
If you wish to clean up your environment after completing the tutorial, follow the steps in this section.
Delete the
business-hrs
policy.Delete the
cidr-check
policy.Delete the Sentinel test directory.
Unset the
VAULT_TOKEN
environment variable.Unset the
VAULT_ADDR
environment variable.If you completed the Role Governing Policies (RGPs) section, run the
clean-up.sh
script provided by thelearn-vault-sentinel
repository.If you are running Vault locally in
-dev
mode, you can stop the Vault dev server by pressing Ctrl+C where the server is running. Or, execute the following command.
Summary
You learned the basics of endpoint governing policies (EGPs) and role governing policies (RGPs). To learn more about Sentinel policies in Vault, continue onto the following tutorials:
Help and reference
- Sentinel documentation
- Vault Sentinel documentation
- Security and Fundamentals at Scale with Vault
- Identity - Entities and Groups tutorial
- Sentinel Properties