Creating secrets and policies

After building a new disk image, the enclave and signer IDs will be reported in the disk build output. These values can be used to set up policies for retrieving secrets from the APM Vault instance.

Creating a secret

The following command can be used to create a new secret:

$ export VAULT_ADDR="https://127.0.0.1:8200"
$ export VAULT_CACERT="${PWD}/certs/cert.pem"
$ ./bin/anjuna-policy-manager \
    --addr "${VAULT_ADDR}" \
    --token "${VAULT_TOKEN}" \
    --ca-cert "${VAULT_CACERT}" \
    secret create --engine-path anjuna cvm/app/EXAMPLE_ENV --value "secret-value"

Setting up an access policy

A command similar to the following can then be used to set up an access policy for a secret that an Anjuna Confidential Container started with a particular disk image will be able to access. Replace the enclave and signer IDs with the ones for your Anjuna Confidential Container:

$ ./bin/anjuna-policy-manager \
    --addr "$VAULT_ADDR" \
    --token "$VAULT_TOKEN" \
    --ca-cert "${VAULT_CACERT}" \
    authorize enclave --engine-path anjuna cvm/app/EXAMPLE_ENV \
      --enclave DD3EDF33282D6980A8330FF3DAB6ECCF5DB1E88CDAF5D6C164A8080360D53D8EE2668C6B549F1DA4650679007100F428 \
      --signer  000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

An Anjuna Confidential Container started with this disk image will then have permission to access the value of the secret at the specified engine path.