Sentinel policies in HCP Vault are now available for PLUS tier clusters at no additional cost. All non-root tokens are subjected to Sentinel checks, which means customers can break admin token generation if the Sentinel policy is enforced on the path used for token generation.
This article will provide instructions on how to regain access to the HCPV cluster in the event the impacting Sentinel policy cannot be removed manually.
A misconfigured Sentinel policy can prevent users from authenticating to HCPV, as well as generating admin tokens in certain scenarios. If you are unable to login to HCPV and remove the impacting policy, please follow the procedure below to have Support remove the policy on your behalf.
Authentication failed: 2 errors occurred: * egp standard policy "" evaluation resulted in denial. The specific error was: ""::: rule evaluated to a value of invalid type func * permission denied
Open a Support ticket with the HashiCorp Cloud Platform Team.
Include the following details in the ticket:
Sentinel has a built-in test framework to validate a policy behaves as expected. This allows you to test the Sentinel policies prior to deployment in order to validate syntax and to document expected behavior. More information can be found here and here.
For additional questions or support, please open a Support ticket.