Introduction
Sentinel policies in HCP Vault are now available for PLUS tier clusters at no additional cost. All non-root tokens are subjected to Sentinel checks, which means customers can break admin token generation if the Sentinel policy is enforced on the path used for token generation.
This article will provide instructions on how to regain access to the HCPV cluster in the event the impacting Sentinel policy cannot be removed manually.
Prerequisites
- HCP Vault Plus SKU
- An active EGP (Endpoint Governing Policy), or RGP (Role Governing Policy)
Use Case
A misconfigured Sentinel policy can prevent users from authenticating to HCPV, as well as generating admin tokens in certain scenarios. If you are unable to login to HCPV and remove the impacting policy, please follow the procedure below to have Support remove the policy on your behalf.
Error Message
Authentication failed: 2 errors occurred: * egp standard policy "" evaluation resulted in denial. The specific error was: ""::: rule evaluated to a value of invalid type func * permission denied
Procedure
-
Open a Support ticket with the HashiCorp Cloud Platform Team.
-
Include the following details in the ticket:
-
HCP Organization ID
- HCPV cluster ID and/or Name
- Name of the policy
- Namespace where the policy is located
-
Type of policy - EGP (Endpoint Governing Policy), or RGP (Role Governing Policy)
-
Additional Information
Sentinel has a built-in test framework to validate a policy behaves as expected. This allows you to test the Sentinel policies prior to deployment in order to validate syntax and to document expected behavior. More information can be found here and here.
For additional questions or support, please open a Support ticket.