Enable Namespacing
Learn to issue token for namespaces in a vHSM.
Tokens can be issued for namespaces. To enable this feature, use the -namespacing
flag. The vhsm nitride init
command simplifies the setup of vHSM by automating authentication, identity creation, policy enforcement, and attestation. The namespacing feature allows fine-grained access control across multiple namespaces.
Enable token namespacing with a policy file:
Alternatively, pipe the policy file:
This ensures that child namespaces can have distinct access control policies.
Example Setup with Namespaces
If the vHSM plugin is enabled in the root
namespace, while workloads access resources in the GCP
and azure
namespaces.
!. Initialize vHSM with token namespacing
Enable authentication in the namespace root
Create identities in the
root
namespace
Define policies in each namespace
Create attestations for each namespace.
With this setup, tokens issued in root
can reference and delegate access to workloads running in the gcp
, and azure
namespaces. Each namespace can have its own policies and attestations.
Last updated
Was this helpful?