Deploy the client

Up to this point, you have completed the following:

Created and uploaded a client enclave disk image as described in the Client Docker images and Build the Anjuna Confidential Container for the client sections.
Created and authorized enclaves to secrets in the Managing secrets section.

Now, run the following command to create a client enclave compute instance (change the --machine value from the example n2d-standard-2 value if desired):

The instance create command will take a few minutes to complete.

$ anjuna-gcp-cli instance create "${APM_CLIENT_INSTANCE}" \
    --image "${APM_CLIENT_IMAGE}" \
    --machine "n2d-standard-2" \
    --network "${NETWORK_NAME}" \
    --subnet "${SUBNET_NAME}" \
    --zone "${GCP_ZONE}"

Viewing client instance output

To view the serial console of the client enclave in real-time, run the following command (use CTRL-C to exit):

$ anjuna-gcp-cli instance describe "${APM_CLIENT_INSTANCE}" \
    --serial --tail

The command displays the logs of the Google Cloud Confidential VM (CVM) as it boots. Look for the following output to confirm that it is performing the remote attestation step and retrieving the secrets from the Anjuna Policy Manager:

...
ANJ-ENCLAVE: Attestation completed
ANJ-ENCLAVE: Loaded container image docker.io/library/apm-on-gcp-test-client:latest
ANJ-ENCLAVE: Started container
export PWD='/'
export SECRET_ENV='SecretEnvValue'
...

As you can see, the client enclave was able to perform remote attestation with the Anjuna Policy Manager. After successful attestation, the client enclave fetched the environment variable SECRET_ENV, which is now available for use by the container image.