Elegant Cert Governance with Vault Identity and Sentinel Policy

This blog post discusses how using policy as code to enforce governance for certificate creation inside HashiCorp Vault can reduce cost of ownership and lower risk. It introduces Sentinel, HashiCorp's policy as code solution that provides targeted, shift-left policy enforcement across all workflows. The author presents a hypothetical scenario where Acme Corp wants to allow its applications in Microsoft Azure to generate short-lived certificates using HashiCorp Vault Enterprise. The post then outlines the problem and solution, which involves using Vault's identity system and Sentinel to govern access to a single endpoint for creating certificates. It covers the workflow, including Vault PKI, Azure authentication, Vault identity, and Sentinel policies. Finally, it concludes by emphasizing the importance of Sentinel in enforcing corporate governance across HashiCorp's Enterprise products and how pairing Sentinel with Vault's entity model enables more granular authorization and simplifies secrets management.