Overview

This document provides a step-by-step guide for deploying HashiCorp Vault with the Anjuna Policy Manager authentication plugin in an Anjuna Confidential Container for SEV on Google Cloud.

The version of Vault currently supported is Vault Community 1.21. If you would like to use a different version or variant of Vault with the APM, please contact support@anjuna.io.

In this guide, you will learn about the core functionality of the Anjuna Policy Manager (APM):

  • How to configure a client enclave to fetch secrets from Vault using the APM

  • How to add secrets that will be managed by the APM

  • How to configure the APM to authorize client enclaves to fetch specific secrets

You will also learn about the following operational considerations:

  • How to configure TLS between Vault/APM and client enclaves

  • How to secure automated deployments by auto-unsealing Vault

Architecture

In order to securely deliver secrets to client enclaves, the Vault/APM server communicates with several Google Cloud services. The following diagram shows how Vault uses Cloud KMS, Cloud Secret Manager, Cloud Storage, and Compute Engine.

Google Cloud services used by Vault/APM

Vault server boot sequence

The following sequence diagram shows what happens when the Vault server is initially deployed. In this guide, you will learn to configure all of this behavior.

Sequence diagram of the Vault server booting

Enclave boot sequence

When you start a client enclave that is configured to fetch secrets from the Vault/APM server, the following sequence of events occurs. This ensures that only authorized enclaves are able to access secrets.

Sequence diagram of an enclave booting and performing remote attestation