Authoring sentinel policy for vault enterprise

trodemaster · January 11, 2021, 9:54pm

Is there a way to get the version of sentinel included in vault enterprise? I need to author some sentinel policies and need to match the capabilities of our production vault clusters.

Any advice on simplifying the process of generating mock data for testing policies targeted at vault? It would be ideal if I could simply capture that data from a vault cli command and save it for re-use in policy testing.

Should I just skip using the sentinel cli to validate vault enterprise policy and focus on using vault directly instead?

Thanks,
Blake

rberlind · January 11, 2021, 10:30pm

Hi @trodemaster,

You can determine the version of the Sentinel runtime in any policy (across all HashiCorp Enterprise products) with the standard Sentinel import, runtime. Here is what the code would look like:

import "runtime"

print("Sentinel runtime version:", runtime.version)

Note that in Vault Enterprise, you will only see the output of the print function if the policy fails. So, you could create a policy like the above with a main rule that always returns false and apply it to some specific path that is not otherwise used.

main = rule {
   false
}

I hope that helps,
Roger Berlind
Global Technology Specialist

hcrhall · January 14, 2021, 4:49am

Any advice on simplifying the process of generating mock data for testing policies targeted at vault? It would be ideal if I could simply capture that data from a vault cli command and save it for re-use in policy testing.

@trodemaster I am personally not close enough to this workflow to provide any valuable input. Let me take a look at what’s possible, and then I will come back to you.

I know that the Vault CLI provides the ability to return data in multiple formats (i.e. table, JSON etc.) so it may be as simple as merging the CLI data into a mock template. I can’t say for sure without looking at it.

I’ll get back to you.