EGP Generic Sentinel policy to restrict the role name

Introduction

This article will lead through the process of developing an example Sentinel EGP policy to implement the naming standard for defining a role name on Authentication and Secrets mounts.

Expected Outcome

The EGP regulations in place will prevent the formation of random name roles under the existing mount type within the root and child namespaces. In the returned error response, Vault will explain why the random name role creation request was denied.

Prerequisites (if applicable)

To perform the steps in this article, you'll need:

• Vault Enterprise version includes EGP capability, which I tried in version 1.15.1+ent.hsm
• A Vault token with sufficient permissions to create EGP policies.
• A Vault token to test with that has sufficient permissions to creating the role for mounts.

Scenario

If we want to apply an identifiable prefix to the creation of the role names in Vault for Authentication and Secret mounts, the example below will show us how to do so using the approle auth method and the Azure Secret Engine.

Procedure

• Make a file called restrict-role-name.sentinel and fill it with the Sentinel policy listed below
  

  import "strings"
  
  # Function
  role_name_validation = func() {
  print("Namespace path:", namespace.path)
  print("Request path:", request.path)
  
  # Define the allowed role name prefixes
  allowed_prefixes = ["vault.ci-test", "vault.ci-dev", "vault.ci-qa"]
  
  # Get the role name from the request
  role_path = strings.trim_prefix(request.path, "role/")
  role_name = strings.split(role_path, "/")[-1]
  
  # Check if the role name starts with one of the allowed prefixes
  starts_with_allowed_prefix = false
  for allowed_prefixes as prefix {
  if strings.has_prefix(role_name, prefix) {
  starts_with_allowed_prefix = true
  return true
  }
  }
  
  # If the role name doesn't start with an allowed prefix, deny the request
  if not starts_with_allowed_prefix {
  print("Role name must start with one of the following prefixes: ", allowed_prefixes)
  return false
  } 
  }
  
  # Define main Rule
  role_name_validation = role_name_validation()
  main = rule {
  role_name_validation
  }
  

• Using the Linux CLI, assign the restrict-role-name.sentinel policy to an environment variable named EGP_POLICY with Base64 encoding::
  

  root@vaults0:/home/vagrant/sentinel# EGP_POLICY=$(base64 -i restrict-role-name.sentinel)

• Make a policy called restrict-role-name with the enforcement level set to hard-mandatory
  

  root@vaults0:/home/vagrant/sentinel# vault write sys/policies/egp/restrict-role-name \
  policy="${EGP_POLICY}" \
  paths="auth/approle/role/*, azure/roles/*" \
  enforcement_level="hard-mandatory"
  # Success! Data written to: sys/policies/egp/restrict-role-name  

• Read the policy again to ensure that the Sentinel policy was properly registered.
  

  root@vaults0:/home/vagrant/sentinel# vault read sys/policies/egp/restrict-role-name

Validation

The policy must be tested using a privileged token with mount creation/enablement rights. In this example, we're going to use a policy called admin_auth_secrets

• Create token
  

  root@vaults0:/home/vagrant/sentinel# vault token create -policy=admin_auth
   # Key                  Value
   # ---                  -----
   # token                hvs.CAESIAUQQXGrqkVYbNstcTIwHu3srTza-U18qCQhxD90Wr-3GiQKHGh2cy5KVURGVFFoQm1LODBRYXZsT1VGNDQyemUQvZoVGAM
   # token_accessor       oHHx0MobzRq3H1czO5q87Wwz
   # token_duration       768h
   # token_renewable      true
   # token_policies       ["admin_auth_secrets" "default"]
   # identity_policies    []
   # policies             ["admin_auth_secrets" "default"]

• Login with above token
  

  root@vaults0:/home/vagrant/sentinel# vault login hvs.CAESIAUQQXGrqkVYbNstcTIwHu3srTza-U18qCQhxD90Wr-3GiQKHGh2cy5KVURGVFFoQm1LODBRYXZsT1VGNDQyemUQvZoVGAM
   # Success! You are now authenticated. The token information displayed below
   # is already stored in the token helper. You do NOT need to run "vault login"
   # again. Future Vault requests will automatically use this token.
   # Key               Value
   # ---               -----
   # token             hvs.CAESIAUQQXGrqkVYbNstcTIwHu3srTza-U18qCQhxD90Wr-3GiQKHGh2cy5KVURGVFFoQm1LODBRYXZsT1VGNDQyemUQvZoVGAM
   # token_accessor    oHHx0MobzRq3H1czO5q87Wwz
   # token_duration    767h57m32s
   # token_renewable   true
   # token_policies    ["admin_auth_secrets" "default"]
   # identity_policies []
   # policies          ["admin_auth_secrets" "default"]

• Validating existing auth method i.e. approle and secret engine i.e. azure
  

  root@vaults0:/home/vagrant/sentinel# vault auth list | grep -i "approle/" && vault secrets list | grep -i "azure/"
   # approle/ approle auth_approle_2bd11b33 n/a n/a
   # azure/   azure   azure_96936d4d        n/a           

• If the role name does not include the prefix ("vault.ci-test" or "vault.ci-dev" or "vault.ci-qa"), the error indicated in the above egp sentinel policy will be displayed.
  

  # Creating a role in Auth method approle with name dev and it will get error out
  root@vaults0:/home/vagrant/sentinel# vault write auth/approle/role/appdev token_policies="dev"
   # Error writing data to auth/approle/role/dev: Error making API request.
   # URL: PUT http://localhost:8200/v1/auth/approle/role/appdev
   # Code: 403. Errors:
   # * 2 errors occurred:
   #       * egp standard policy "root/restrict-role-name.sentinel" evaluation resulted in denial.
   # The specific error was:
   # <nil>
   # A trace of the execution for policy "root/restrict-role-name.sentinel" is available:
   # Result: false
   # Description: <none>
   # print() output:
   # Namespace path: root
   # Request path: auth/approle/role/appdev
   # Role name must start with one of the following prefixes:  ["vault.ci-test" "vault.ci-dev" "vault.ci-qa"]
   # Rule "main" (root/restrict-role-name.sentinel:33:1) = false
   #         * permission denied
  
  # Creating a role in Secret engine azure with name qa and it will get error out
  root@vaults0:/home/vagrant/sentinel# vault write azure/roles/appqa ttl=1h azure_roles=@role.json
   # Error writing data to azure/roles/qa: Error making API request.
   # URL: PUT http://localhost:8200/v1/azure/roles/appqa
   # Code: 403. Errors:
   # * 2 errors occurred:
   #         * egp standard policy "root/restrict-role-name.sentinel" evaluation resulted in denial.
   # The specific error was:
   # <nil>
   # A trace of the execution for policy "root/restrict-role-name.sentinel" is available:
   # Result: false
   # Description: <none>
   # print() output:
   # Namespace path: root
   # Request path: azure/roles/appqa
   # Role name must start with one of the following prefixes:  ["vault.ci-test" "vault.ci-dev" "vault.ci-qa"]
   # Rule "main" (root/restrict-role-name.sentinel:33:1) = false
   #         * permission denied

• Create valid role names
  

  # Create a role name with allowed prefix for Auth method approle
  root@vaults0:/home/vagrant/sentinel# vault write auth/approle/role/vault.ci-dev-appdev token_policies="dev"
   # Success! Data written to: auth/approle/role/vault.ci-dev-appdev
  
  # Create a role name with allowed prefix for Secret Engine azure
  root@vaults0:/home/vagrant/sentinel# vault write azure/roles/vault.ci-qa-appqa ttl=1h azure_roles=@role.json
   # Success! Data written to: azure/roles/vault.ci-qa-appqa

Additional Information

• Vault Docs: Enterprise - Sentinel Overview
• Vault API Docs: /sys/policies
• Vault Tutorials / Learn Guide: Sentinel Policies