Deploy the Anjuna Policy Manager and create secrets

Start the Confidential Container

The final step in the Anjuna Policy Manager (APM) deployment is to create a Vault server instance by running the following command:

The instance create command will take a few minutes to complete. 
$ anjuna-gcp-cli instance create "${VAULT_SERVER_INSTANCE}" \
    --image "${VAULT_SERVER_IMAGE}" \
    --machine "n2d-standard-2" \
    --network "${NETWORK_NAME}" \
    --subnet "${SUBNET_NAME}" \
    --zone "${GCP_ZONE}" \
    --service-account "${VAULT_SERVICE_ACCOUNT_EMAIL}" \
    --scopes https://www.googleapis.com/auth/compute,https://www.googleapis.com/auth/devstorage.read_write,https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/cloudkms

You can check the logs of the Vault server using the following command:

$ anjuna-gcp-cli instance describe --tail --logs $VAULT_SERVER_INSTANCE

Once the Vault server has been created, the public IP address can be stored to an environment variable on the admin host and displayed using the following commands:

$ export VAULT_SERVER_IP=$(gcloud compute instances describe "${VAULT_SERVER_INSTANCE}" \
    --format='get(networkInterfaces[0].accessConfigs[0].natIP)' --zone "${GCP_ZONE}")
$ echo "${VAULT_SERVER_IP}"

Server hostname resolution

If you are using a fully-qualified domain name for your Vault server, you need to make an update for the domain name. Update the DNS A record for the domain name to point to the public IP (the value of $VAULT_SERVER_IP) of the Vault server instance that you created in the previous step.

If you are not using a fully-qualified domain name for your Vault server, add an entry to your administration computer /etc/hosts file. This will resolve the Google Cloud internal DNS hostname to the public IP of your server. Run the following command, which will add the line to your /etc/hosts file:

$ echo "${VAULT_SERVER_IP}    ${VAULT_SERVER_HOST}" | sudo tee -a /etc/hosts

Check the Vault server status

Your local installation of Vault is used for the one time initialization of auto-unsealing and Google Cloud storage, as well as to register and enable the Anjuna Policy Manager (APM) plugin.

This requires that the TLS certificate that was used for the TLS configuration section to be available at apm-on-gcp/tls-cert.pem and that some connection settings are defined. These can be set as environment variables with the following commands from within the apm-on-gcp directory:

$ export VAULT_ADDR="https://${VAULT_SERVER_HOST}:8200"
$ export VAULT_CACERT="$(pwd)/tls-cert.pem"

Now you can check the status of the Vault server with the following command:

$ vault status

Initialize the Vault server

The first time Vault boots, the unsealing key, client enclave authentication, and key-value storage need to be initialized from the administration computer. These operations only need to be performed once.

Initialize unsealing key

Run the following command to initialize the encrypted storage bucket and unsealing key, and generate the root token:

$ vault operator init

The output from this command should be saved in a secure manner. It contains the recovery keys and root token.

The root token is required in subsequent administration commands for creating and managing secrets and should be assigned to an environment variable with this command (replace <ROOT_TOKEN> with the value output from the previous command):

$ export VAULT_TOKEN="<ROOT_TOKEN>"

Enable client enclave authentication

Run the following commands to register the APM plugin:

$ APM_SHA256=$(tar -xf vault/anjuna-policy-manager.*.tar.gz ./bin/anjuna-policy-manager-plugin --to-command=sha256sum | cut -d' ' -f1)
$ vault plugin register \
    -sha256="${APM_SHA256}" \
    -command=anjuna-policy-manager-plugin auth apm

Then run the following command to activate APM authentication of client enclaves:

$ vault auth enable apm

Enable key-value storage engine

This guide uses the Vault key-value storage engine. After creating the Vault server instance, this storage engine must be activated. Run the following command to execute this one time operation:

$ vault secrets enable --path anjuna kv

Create secrets

Configure anjuna-policy-manager CLI settings

The Anjuna Policy Manager (APM) software package contains the anjuna-policy-manager client program that is used for managing secrets and authorization policies for enclaves.

You can extract this tool from the previously downloaded archive for the APM using the following command, executed from the apm-on-gcp directory:

$ tar -xf vault/anjuna-policy-manager.*.tar.gz ./bin/anjuna-policy-manager --strip-components=2 -C .

Run the following commands to define additional environment variables required to connect to the server:

$ export ANJUNA_ADDR="https://${VAULT_SERVER_HOST}:8200"
$ export ANJUNA_CACERT="$(pwd)/tls-cert.pem"
$ export ANJUNA_TOKEN="${VAULT_TOKEN}"

Creating secrets

The example commands below will create the two secrets needed for the Client enclave config file. Replace the following fields with the desired values:

  • <vault/path/to/secret-env> - The path to an example environment variable secret (the key portion of the key-value pair)

  • <SecretEnvValue> - The value of the environment variable

  • <vault/path/to/secret-file> - The path to an example file secret (the key portion of the key-value pair)

  • <SecretFileValue> - The path to the secrets file to store in Vault

$ anjuna-policy-manager secret create \
    <vault/path/to/secret-env> \
    --value=<SecretEnvValue>
$ anjuna-policy-manager secret create \
    <vault/path/to/secret-file> \
    --value="$(cat <SecretFileValue>)"
The secret file should be in ASCII/base64 format.

Authorizing enclaves to access secrets

Individual enclaves can be granted access to secrets using their enclave IDs. But you do not know the enclave ID until you build an enclave, so you will first configure and build a client enclave.