Skip to content

Instantly share code, notes, and snippets.

@lucymhdavies

lucymhdavies/policy attributes

Created August 7, 2022 13:35
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save lucymhdavies/7070ebaab0d73e9e0488ed9305d430d4 to your computer and use it in GitHub Desktop.
Save lucymhdavies/7070ebaab0d73e9e0488ed9305d430d4 to your computer and use it in GitHub Desktop.
Download ZIP
HashiCorp Vault Sentinel policy to limit Userpass auth to my home network
Raw
policy attributes
$ vault read sys/policies/egp/restrict-userpass-cidr
Key Value
--- -----
enforcement_level hard-mandatory
name restrict-userpass-cidr
paths [auth/userpass/*]
policy ...
Raw
sentinel-policy.tf
data "dns_a_record_set" "ddns" {
host = "my-dynamic-dns-record-here"
}
resource "vault_egp_policy" "restrict-userpass-cidr" {
name = "restrict-userpass-cidr"
paths = ["auth/userpass/*"]
enforcement_level = "hard-mandatory"
policy = <<EOT
import "sockaddr"
import "strings"
cidrcheck = rule {
sockaddr.is_contained("${data.dns_a_record_set.ddns.addrs[0]}/32", request.connection.remote_addr) or
error("Cannot use this auth method from", request.connection.remote_addr)
}
main = rule when strings.has_prefix(request.path, "auth/userpass/login") {
cidrcheck
}
EOT
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment