Deploy the client

Up to this point, you have completed the following:

Created and uploaded a client enclave disk image as described in the Client Docker images and Build the Anjuna Confidential Container for the client sections.
Created and authorized enclaves to secrets in the Managing secrets section.

Now, run the following command to create a client enclave compute instance (change the --machine value from the example n2d-standard-2 value if desired):

The instance create command will take a few minutes to complete.

$ anjuna-gcp-cli instance create "${APM_CLIENT_INSTANCE}" \
    --image "${APM_CLIENT_IMAGE}" \
    --machine "n2d-standard-2" \
    --network "${NETWORK_NAME}" \
    --subnet "${SUBNET_NAME}" \
    --zone "${GCP_ZONE}"

Viewing client instance output

To view the serial console of the client enclave in real-time, run the following command (use CTRL-C to exit):

$ anjuna-gcp-cli instance describe "${APM_CLIENT_INSTANCE}" \
    --serial --tail

The command displays the logs of the GCP Confidential VM as it boots. Look for the following output to confirm that it is performing the remote attestation step and retrieving the secrets from the Anjuna Policy Manager:

...
ANJ-ENCLAVE: Added environment variable:  SECRET_ENV
ANJ-ENCLAVE: Added file:  /secret_file.txt
ANJ-ENCLAVE: Did remote attestation
ANJ-ENCLAVE: Auto terminate: false
ANJ-ENCLAVE: Container setup finished
ANJ-ENCLAVE: Launching command /bin/sh -c export;cat /secret_file.txt;sleep infinity
export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
export PWD='/'
export SECRET_ENV='SecretEnvValue'
...

As you can see, the client enclave was able to perform remote attestation with the Anjuna Policy Manager. After successful attestation, the client enclave fetched the environment variable SECRET_ENV, which is now available for use by the container image.