Examples

SEV on Azure

This section assumes you have completed deploying the Anjuna Policy Manager (APM) following the Prerequisites: Deploy quickstart instructions.

It also assumes you have completed the Quickstart guide for the Anjuna Confidential Container and have the necessary cloud resources to upload a disk and run an instance.

Configuring the CLI

First, set local environment variables so that you can reach the APM.

$ export ANJUNA_ADDR="https://<anjuna policy manager server hostname or IP address>:8200"
$ export ANJUNA_TOKEN="<anjuna policy manager token>"
$ export ANJUNA_CACERT="<path to ca cert file, PEM-encoded>"
$ export APM_GROUP_NAME="<resource group name of APM>"

In the apm-secure-deployments scripts, these variables are automatically exported by client_env.sh. The manual steps above are only necessary if you deploy the APM in a different way.

Building an Anjuna Confidential Container to fetch secrets from the APM

Create the file config.yaml, which will store the enclave configuration:

version: 1.7

apmConfig:
  url: https://apm.anjuna.com:8200  # Replace with your APM server's IP address
  caCert: |
    -----BEGIN CERTIFICATE-----
    ... APM's certificate content ...
    -----END CERTIFICATE-----
  envs:
  - apmPath: credentials/example_api_key_path
    engine: anjuna
    name: EXAMPLE_API_KEY

command: ["printenv"]

Now you can build and upload a disk image for the Anjuna Confidential Container. This is a basic container that prints its environment variables and exits.

$ anjuna-azure-cli disk create  \
  --docker-uri=debian:buster-slim  \
  --disk-size 1G  \
  --config=config.yaml \
  --save-measurements measurements.json

$ anjuna-azure-cli disk upload \
  --disk disk.vhd \
  --image-name apm-quickstart-client-disk.vhd \
  --storage-account ${STORAGE_ACCOUNT_NAME} \
  --storage-container mystoragecontainer \
  --resource-group myResourceGroup \
  --image-gallery myGallery \
  --image-definition myFirstDefinition \
  --image-version 0.1.1 \
  --location eastus \
  --subscription-id ${MY_AZURE_SUBSCRIPTION}

The output will include the Enclave ID and Signer ID measurements, which are 64-digit hexadecimal strings. You will use these measurements to set policies later.

Adding a secret

Then, you can create a secret using the APM CLI:

$ anjuna-policy-manager secret create \
    credentials/example_api_key_path  \
    --value "my-secret-api-key-136d4813"

See Creating secrets for instructions on providing secret content via a file, or having the APM generate a random secret.

Configuring an access policy

Using the measurements you got in the disk create output, you can authorize the Anjuna Confidential Container to have access to the secret you just created.

$ export SIGNER_ID="$(jq -r .SignerID measurements.json)"
$ export ENCLAVE_ID="$(jq -r .EnclaveID measurements.json)"
$ anjuna-policy-manager authorize enclave \
      --signer "${SIGNER_ID#0x}" \
      --enclave "${ENCLAVE_ID#0x}" \
      credentials/example_api_key_path

See Defining access policies for more details on restricting access to secrets.

Running the Anjuna Confidential Container

Now you can configure an access rule to allow your enclave to reach the APM and run the instance with the following:

$ export CLIENT_PUBLIC_IP="$(az network public-ip show -n myPublicIP -g myResourceGroup | jq -r .ipAddress)"
$ az network nsg rule create \
  --resource-group ${APM_GROUP_NAME} \
  --nsg-name apm-nsg-${APM_GROUP_NAME#"apm-"} \
  --name allow-client \
  --protocol Tcp \
  --direction Inbound \
  --priority 1001 \
  --source-address-prefix ${CLIENT_PUBLIC_IP} \
  --source-port-range '*' \
  --destination-address-prefix '*' \
  --destination-port-range 8200 \
  --access Allow

$ anjuna-azure-cli instance create \
  --name anjuna-azure-apm-quickstart-client-instance \
  --location eastus \
  --image-gallery myGallery \
  --image-definition myFirstDefinition \
  --image-version 0.1.1 \
  --resource-group myResourceGroup \
  --storage-account ${STORAGE_ACCOUNT_NAME} \
  --nics myNic

Once the instance is running, you can view its logs using the Anjuna CLI:

$ anjuna-azure-cli instance log --tail  \
  --name anjuna-azure-apm-quickstart-client-instance  \
  --resource-group myResourceGroup

This command should produce output similar to the following:

Checking if the resource group myResourceGroup exists...
Tailing boot log, press CTRL-C to exit..

...

ANJ-ENCLAVE: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ANJ-ENCLAVE: HOME=/root
ANJ-ENCLAVE: EXAMPLE_API_KEY=my-secret-api-key-136d4813

You should see the secret value in the output, available to the application as an environment variable.