https://github.com/robertpeteuil/vault-sentinel-policies

Example Sentinel Policies for HashiCorp Vault
https://github.com/robertpeteuil/vault-sentinel-policies

hashicorp-sentinel hashicorp-vault

Last synced: 2 months ago
JSON representation

Example Sentinel Policies for HashiCorp Vault

• Host: GitHub
• URL: https://github.com/robertpeteuil/vault-sentinel-policies
• Owner: robertpeteuil
• License: mit
• Created: 2019-08-30T20:51:57.000Z (almost 6 years ago)
• Default Branch: master
• Last Pushed: 2021-07-04T15:29:56.000Z (almost 4 years ago)
• Last Synced: 2025-02-07T13:56:09.813Z (4 months ago)
• Topics: hashicorp-sentinel, hashicorp-vault
• Homepage:
• Size: 12.7 KB
• Stars: 3
• Watchers: 2
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# Vault Sentinel Policies

More Vault Sentinel examples in the [Vault Guides](https://github.com/hashicorp/vault-guides/tree/master/governance/sentinel) Repo.

Example Endpoint governing policies:

1. `validate_zip_codes` validates that any key named "zipcode", "zip_code", or "zip-code" contains a valid 5-digit U.S. zipcode.  EGP Policy, paths = secret/*

2. `validate_state_codes` validates that any key named "state" contains a valid U.S. state code.  EGP Policy, paths = secret/*

3. `validate_root_aws_keys` validates that any path having both access_key and secret_key keys contain valid AWS keys.  EGP Policy, paths = *

  a. This ensures that the root keys for an instance of the AWS secrets engine in path /config/root are valid.

  b. Since the AWS secret engine may exist at multiple paths, the path is set to "*".

4. `business_hours` EGP on one namespace that only allows writing secrets between 8am and 8pm EDT on Monday to Friday.  EGP Policy, paths = secret/*