anjuna-gcp-cli instance describe

anjuna-gcp-cli instance describe --instance <instance-name> [OPTIONS...]

Gets additional information (such as serial and attestation report) for the Google Cloud VM instance.

The anjuna-gcp-cli instance describe command displays information on the specified Anjuna Confidential Container running on top of a Google Cloud Confidential VM (CVM) instance.

When no parameters are provided (other than --instance, which is required), the command displays the values of all the configuration parameters for the instance.

Options

Usage

anjuna-gcp-cli instance describe --instance <instance-name> [OPTIONS...]

--instance

(Required) Name of the instance to be queried

--logs

Shows messages from Google Cloud Logging service

The Anjuna Confidential Container supports both a serial console and Google Cloud Logging.

Using Cloud Logging is recommended. Application logs are automatically pushed to Cloud Logging if a service account with the Log Writer role is used to create the instance.

The option --logs shows instance logs from Google Cloud Logging. By default, it will print the recent instance output and then exit. Add the --tail option to stream the output until the Anjuna Confidential Container terminates or the command is interrupted.

Logs from the Anjuna SEV Runtime include a UTC timestamp with the format %Y/%m/%d %H:%M:%S. For example, ANJ-ENCLAVE: 2024/08/26 14:01:59 Powered on.

To access the logs on the Google Cloud Logging service, you will need to grant the Logs Viewer role to the account being used.

See Controlling log access for a more detailed explanation on how to use service accounts to control access to the logs.

Google Cloud projects have quota settings that also apply to Cloud Logging I/O loads. Check Cloud Logging Quotas for more information on how to configure them for your project. Frequent read requests can trigger a quota violation error. anjuna-gcp-cli implements exponential backoff to work with Google’s APIs. It will print a warning when it adds a pause to slow down the rate. 
$ anjuna-gcp-cli --project my-project instance describe --instance anjuna-gcp-nginx-instance --logs
ANJ-ENCLAVE: Loaded container image docker.io/library/nginx:latest
ANJ-ENCLAVE: Creating container...
ANJ-ENCLAVE: Created container b01643e5e85f12d8da1e81c4f68bcdd0bfb1e6ac9fa6c25be5115311e5e1363b
ANJ-ENCLAVE: Started container
2025/07/18 20:35:39 [notice] 1#1: using the "epoll" event method
2025/07/18 20:35:39 [notice] 1#1: nginx/1.29.0
2025/07/18 20:35:39 [notice] 1#1: built by gcc 12.2.0 (Debian 12.2.0-14+deb12u1)
2025/07/18 20:35:39 [notice] 1#1: OS: Linux 5.16.16
2025/07/18 20:35:39 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2025/07/18 20:35:39 [notice] 1#1: start worker processes
2025/07/18 20:35:39 [notice] 1#1: start worker process 29
2025/07/18 20:35:39 [notice] 1#1: start worker process 30

--serial

Shows messages from the serial console

If Cloud Logging is not available, the Anjuna Confidential Container falls back to logging to the serial console.

The serial console can be viewed by anyone with access to the project, which may expose confidential information in the application logs. The serial console is also extremely slow and may have a significant performance impact. Using Cloud Logging by attaching a service account with appropriate permissions is recommended instead.

The serial console logs may also be used to diagnose issues if the Anjuna Confidential Container fails to boot before Cloud Logging is available.

By default, --serial will print the full serial console output and then exit. Add the --tail option to stream the output until the Anjuna Confidential Container terminates or the command is interrupted.

--tail

Streams the output when using the --logs or --serial options

--tail streams the output until the Anjuna Confidential Container terminates or the command is interrupted.

--show-ip

Displays the network access configurations of the instance

The --show-ip command displays all the network access configurations attached to the instance.

$ anjuna-gcp-cli --project my-project instance describe --instance anjuna-gcp-nginx-instance --show-ip
Instance details:
  Project: confidential-container
  Zone: us-central1-a
  Name: anjuna-gcp-nginx-instance
  ID: 4420867891618320720
  Type: n2d-standard-2
  Status: RUNNING

Network interface nic0:
  Internal IP: 10.128.0.5
  External IP: 34.69.228.74 (External NAT)

--attestation-report

Shows the SEV attestation report

The --attestation-report command displays the Google Cloud Audit Log events that show:

  • The SEV launch attestation report, which includes:

    • SEV policy, which is the AMD SEV policy bits set for this VM; policy bits are set at CVM launch time to enforce constraints such as whether debug mode is enabled, key sharing is allowed, and migration settings.

    • Integrity evaluation, which is the result of an integrity check performed by the Virtual Machine Monitor on the measurement computed by AMD SEV.

  • The late boot event report, which includes:

    • Measurements, which contain platform configuration register (PCR) values that record cryptographic hashes of boot components in their actual load sequence.

    • Late boot policy evaluation, which is the result of an integrity check performed by the Virtual Machine Monitor comparing the actual measurements against the expected policy measurements.

$ anjuna-gcp-cli instance describe anjuna-gcp-nginx-instance --attestation-report
Instance details:
  Project: confidential-container
  Zone: us-central1-a
  Name: anjuna-gcp-nginx-instance
  ID: 4420867891618320720
  Type: n2d-standard-2
  Status: RUNNING

Collating instance integrity log…
✓ Found instance late boot event
✓ Found instance launch event

Attestation report:
  Confidential Computing technology: SEV
  SEV policy:
    Allow memory debugging: false
    Allow memory sharing: false
    Allow migration: true
    Allow migration outside Google Cloud: true
    Allow migration to hosts without SEV: false
    Allow migration to hosts with SEV of any version
  Measurements:
    PCR0:  0x2AAB58E23EA5120D70A3EBCE56BD0E6D5E3035B7
    PCR1:  0x7C6CEAE56DA5EC69A014839ED3836C1AD1F97FAE
    PCR2:  0xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236
    PCR3:  0xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236
    PCR4:  0xE0437E24A573CC1E254A8FA7E1C9AC59E92545C8
    PCR5:  0x75C22FC627F1E2784CC697811CB98A4F7EF2BC22
    PCR6:  0xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236
    PCR7:  0xEDE7204673F41AC2592B0D3B4CD429B43F39DC61
    PCR8:  0xD8182F4D05B673CB41D9912B2AD3689FBCEBBEF8
    PCR9:  0x8363D36D55F279CDD70D8CF2F06BC053DE8497D6
    PCR14: 0xA482A15E112717D6A915B989A0EA6140A507E3E6
  Integrity evaluation: PASSED
  Late boot policy evaluation: PASSED

The Google Cloud API does not provide the values of PCR15 (the application running in the enclave) and PCR16 (the signing key) in this output, but the Anjuna Confidential Container will log them to the serial console. You can view PCR15 and PCR16 with the following command:

$ anjuna-gcp-cli instance describe --instance anjuna-gcp-nginx-instance --serial | grep -A5 'SHA256:'
 SHA256:
   4: 0xCA7F9152C382CADB7465878A2FAAB79F9F4212FCB55D5EFC05228F5CD2D235D5
   5: 0xF49478ED66E4A4986C5E6451B620B46BB89C2A5212966AB68D9C29D92DFE92B7
   9: 0xF28E3DF729F1C0096CB2FED01C3AA9DDD6C38D9696E08A09F22613E4B0BEBCC9
  15: 0xDC863E4ACFA1EECAEABE712E91BDCF8BC874EB8FBEEC1746EBD6D1672998397B
  16: 0x0000000000000000000000000000000000000000000000000000000000000000

For more information on PCR values, see Identifying the software in an AMD SEV Confidential VM (CVM).

Global options

The following options are available for all anjuna-gcp-cli subcommands.

Global options

-h, --help

Prints the help information for the command

--debug

Prints debug messaging

-v, --version

Prints the anjuna-gcp-cli version

Exit status

  • 0 on success

  • 1 on error

Examples

$ anjuna-gcp-cli instance describe --instance anjuna-gcp-nginx-instance
$ anjuna-gcp-cli instance describe --instance anjuna-gcp-nginx-instance --logs
$ anjuna-gcp-cli instance describe --instance anjuna-gcp-nginx-instance --logs --tail
$ anjuna-gcp-cli instance describe --instance anjuna-gcp-nginx-instance --serial
$ anjuna-gcp-cli instance describe --instance anjuna-gcp-nginx-instance --serial --tail
$ anjuna-gcp-cli instance describe --instance anjuna-gcp-nginx-instance --show-ip
$ anjuna-gcp-cli instance describe --instance anjuna-gcp-nginx-instance --attestation-report

$ anjuna-gcp-cli --project my-project instance describe --instance anjuna-gcp-nginx-instance --serial
ANJ-ENCLAVE: Powered on
...
ANJ-ENCLAVE: Loading enclave configuration
ANJ-ENCLAVE: No enclave configuration provided
...
ANJ-ENCLAVE: Loaded container image docker.io/library/nginx:latest
ANJ-ENCLAVE: Creating container...
ANJ-ENCLAVE: Created container b01643e5e85f12d8da1e81c4f68bcdd0bfb1e6ac9fa6c25be5115311e5e1363b
ANJ-ENCLAVE: Started container
2025/07/18 20:35:39 [notice] 1#1: using the "epoll" event method
2025/07/18 20:35:39 [notice] 1#1: nginx/1.29.0
2025/07/18 20:35:39 [notice] 1#1: built by gcc 12.2.0 (Debian 12.2.0-14+deb12u1)
2025/07/18 20:35:39 [notice] 1#1: OS: Linux 5.16.16
2025/07/18 20:35:39 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2025/07/18 20:35:39 [notice] 1#1: start worker processes
2025/07/18 20:35:39 [notice] 1#1: start worker process 29
2025/07/18 20:35:39 [notice] 1#1: start worker process 30