Nitride
HomeDocumentationTutorials
  • Nitride
  • Documentation
    • What is Nitride?
    • Use Cases
    • Setup
      • Install Nitride
      • Configure
    • Get Started
      • Attesting a MariaDB database with Cloud-Init
    • Concepts
      • Attestation
        • AMD SEV PKI
        • Intel TDX PKI
      • enclaivelet
    • Supported Technologies
  • Tutorials
    • Create identities and policies
    • Attesting a buckypaper VM
  • Developers
    • API
      • Overview
      • Identities
      • Policies
      • Totp
      • Attestations
      • Logs
      • Config
      • Annotations
  • CLI
    • Enable Auth
    • Register Identities
    • Create Policy
    • Create Attestation
    • Enable Namespacing
  • Resources
    • Blog
    • GitHub
    • Youtube
    • CCx101
Powered by GitBook
On this page

Was this helpful?

  1. CLI

Enable Namespacing

Learn to issue token for namespaces in a vHSM.

Last updated 1 month ago

Was this helpful?

Tokens can be issued for namespaces. To enable this feature, use the -namespacing flag. The vhsm nitride init command simplifies the setup of vHSM by automating authentication, identity creation, policy enforcement, and attestation. The namespacing feature allows fine-grained access control across .

Note:

  • Namespaced tokens have inlined policies.

  • The default policy can be overwritten with an HCL policy file.

Enable token namespacing with a policy file:

vhsm nitride init -namespacing @policy.hcl

Alternatively, pipe the policy file:

cat policy.hcl | vhsm nitride init -namespacing

This ensures that child namespaces can have distinct access control policies.

Example Setup with Namespaces

If the vHSM plugin is enabled in the root namespace, while workloads access resources in the GCP and azurenamespaces.

!. Initialize vHSM with token namespacing

vhsm nitride init -namespacing @policy.hcl
  1. Enable authentication in the namespace root

vhsm auth enable -path=ratls ratls
  1. in the root namespace

vhsm nitride identity create @platform.json
vhsm nitride identity create @firmware.json
vhsm nitride identity create @workload.json
vhsm nitride policy create @policy.json

Note: You only have one instance of the plugin enabled in root, and namespaces are assigned through the attestation. When you run nitride attestation create, the JSON can contain a namespace field. When this is set to gcp, the token is issued from root for gcp.

vhsm nitride attestation create @attestation.json

With this setup, tokens issued in root can reference and delegate access to workloads running in the gcp , and azurenamespaces. Each namespace can have its own policies and attestations.

in each namespace

for each namespace.

multiple namespaces
Create identities
Define policies
Create attestations