EIF metadata

Overview

EIFs support attached metadata. The metadata can make managing EIFs easier by tagging them and does not affect the AWS Nitro Enclave and its measurements.

Format

The metadata is a JSON object that can contain any information that you want to add, as long as it meets the following restrictions:

  • The JSON root element, the top-most element of a JSON, must be an Object ({})

  • Each key inside the root item must be any valid String (“”)

  • Each value must also be any valid String (“”)

Example of valid metadata:

{
  "app": "myApp",
  "version": "1.2.3",
  "role": "client"
}


Examples of invalid metadata:

The root element is not an Object:

[
  {
    "app": "myApp",
    "version": "1.2.3",
    "role": "client"
  },
  {
    "app": "myOtherApp",
    "version": "3.2.1",
    "role": "server"
  },
]

Not all values are strings:

{
  "app": "myApp",
  "version": "1.2.3",
  "roles": ["client", "standalone", "high-availability"]
}

Attaching metadata to EIFs

You can attach a metadata file to an EIF when building the EIF by using the --metadata flag of the anjuna-nitro-cli build-enclave command:

$ anjuna-nitro-cli build-enclave \
    --docker-uri <docker-uri> \
    --metadata <metadata-file> \
    --output-file <output-file>

Printing EIF metadata

To print the metadata attached to an EIF, use the anjuna-nitro-cli describe-eif command:

$ anjuna-nitro-cli describe-eif \
    --eif-path <eif-path>

The output will be similar to this:

{
  …
  "Metadata": {
      …
      "app": "nginx",
      "version": "1.21.6",
      "owner_org": "marketing"
  }
}

Examples

Say you have a metadata file called nginx-metadata.json with the following contents:

{
  "app": "nginx",
  "version": "1.21.6",
  "owner_org": "marketing"
}

The following command builds an enclave, attaches the metadata file, and saves the enclave image file as nginx.eif.

$ anjuna-nitro-cli build-enclave \
      --docker-uri nginx:1.21.6 \
      --metadata nginx-metadata.json \
      --output-file nginx.eif

It produces output similar to this:

Start building the Enclave Image...
Using the locally available Docker image...
Enclave Image successfully created.
{
  "Measurements": {
    "HashAlgorithm": "Sha384 { ... }",
    "PCR0": "...",
    "PCR1": "...",
    "PCR2": "..."
  }
}

The following command prints information about the enclave, including its metadata:

$ anjuna-nitro-cli describe-eif \
      --eif-path nginx.eif

It produces output similar to this:

{
  "EifVersion": 4,
  "Measurements": {
    "HashAlgorithm": "Sha384 { ... }",
    "PCR0": "...",
    "PCR1": "...",
    "PCR2": "..."
  },
  …
  "Metadata": {
    "BuildTime": "2022-04-28T21:15:55.018997875+00:00",
    …
    "app": "nginx",
    "version": "1.21.6",
    "owner_org": "marketing"
  }
}