Overview

This document provides a step-by-step guide for deploying the Anjuna Policy Manager Server and clients in GCP Confidential VMs.

In this guide, you will learn about the core functionality of the Anjuna Policy Manager (APM):

  • How to configure a client enclave to fetch secrets from the APM

  • How to add secrets to the APM

  • How to configure the APM to authorize client enclaves to fetch specific secrets

You will also learn about the following operational considerations:

  • How to configure TLS between the APM and client enclaves

  • How to improve automated deployments by auto-unsealing the APM

Architecture

In order to securely deliver secrets to client enclaves, the APM Server communicates with several GCP services. The following diagram shows how the APM uses Cloud KMS, Cloud Secret Manager, Cloud Storage, and Compute Engine.

Google Cloud services used by the Anjuna Policy Manager

Anjuna Policy Manager Server boot sequence

The following sequence diagram shows what happens when the APM Server is initially deployed. In this guide, you will learn to configure all of this behavior.

Sequence diagram of the Anjuna Policy Manager booting

Enclave boot sequence

When you start a client enclave that is configured to fetch secrets from the APM, the following sequence of events occurs. This ensures that only authorized enclaves are able to access secrets.

Sequence diagram of an enclave booting and performing remote attestation