DocumentationTutorials

create

Creates a new policy. The policy definition must be provided as a JSON file @values.json.

Usage

vhsm nitride policy create @values.json [flags]

Structure: @values.json

  • "name": A string uniquely identifying the policy.

  • "identities": An object specifying the required identities for this policy.

  • "provider": The provider identity. For example, azure-sev-snp-vtpm.

  • "platform": An array of platform identity objects, see platform identity structure.

  • "firmware": An array of firmware identity objects, see firmware identity structure.

  • "workload": A workload identity object, see workload identity structure.

  • "metadata": (Optional) Additional metadata for the policy.

Flags

When to use each parameter

  • Use name to uniquely identify the policy.

  • Use identities to specify the required provider, platform, firmware, workload, and optional metadata identities that must be attested for this policy to be satisfied.

  • Use platform, firmware, and workload to define the specific trust requirements for each component.

  • Use metadata to attach custom attributes or tags for advanced policy, grouping, or informational purposes.

Example JSON: Policy

{
  "name": "azure-sev-snp-milan-vcek-vtpm-ubuntu-jammy",
  "identities": {
    "provider": "azure-sev-snp-vtpm",
    "platform": [
      {
        "name": "amd-sev-snp-milan-vcek"
      }
    ],
    "firmware": [
      {
        "name": "azure-dc2as-v5"
      }
    ],
    "workload": {
      "name": "azure-sev-snp-vtpm-ubuntu-jammy",
      "policy": {
        "hash": false,
        "pcrs.0": false
      }
    },
    "metadata": null
  }
}

Example Command

vhsm nitride policy create @policy.json

Output

Key           Value
---           -----
created       1752411654
identities    map[firmware:[map[name:local-test policy:<nil>]] metadata:<nil> platform:[map[name:amd-sev-snp-milan-vcek policy:<nil>]] provider:local-none-debug workload:map[name:vtpm-ubuntu policy:map[hash:false pcrs.1:false]]]
name          test

Additional Example

Create with custom server address and output as JSON:

vhsm nitride policy create @policy.json -address=https://vhsm.example.com:8200 -format=json

Output

{
  "request_id": "79f94c2c-227c-6a00-b863-8d4c581be321",
  "lease_id": "",
  "lease_duration": 0,
  "renewable": false,
  "data": {
    "created": 1752411654,
    "identities": {
      "firmware": [
        {
          "name": "local-test",
          "policy": null
        }
      ],
      "metadata": null,
      "platform": [
        {
          "name": "amd-sev-snp-milan-vcek",
          "policy": null
        }
      ],
      "provider": "local-none-debug",
      "workload": {
        "name": "vtpm-ubuntu",
        "policy": {
          "hash": false,
          "pcrs.1": false
        }
      }
    },
    "name": "test"
  },
  "warnings": [
    "Endpoint ignored these unrecognized parameters: [-address -format]"
  ]
}

Policy Structures

Type: Platform Identity

Use platform for specific CPU types and their PKI validation.

  • "name": Name of the platform identity (e.g., amd-sev-snp-milan-vcek).

  • "firmware": Minimum firmware version required (e.g., >= 1.55.22).

  • "root_of_trust": Trust identifier for the hardware root of trust.

Example:

{
  "name": "amd-sev-snp-milan-vcek"
}

Type: Firmware Identity

Use firmware to specify trusted firmware measurements.

  • "name": Name of the firmware identity (e.g., azure-dc2as-v5).

Example:

{
  "name": "azure-dc2as-v5"
}

Type: Workload Identity

Use workload for specifying trusted application, VM, or container images and their attestation requirements.

  • "name": Name of the workload identity. For example, azure-sev-snp-vtpm-ubuntu-jammy.

  • "policy": Object specifying attestation requirements. For example, hash, pcrs.0.

Example:

{
  "name": "azure-sev-snp-vtpm-ubuntu-jammy",
  "policy": {
    "hash": false,
    "pcrs.0": false
  }
}

Type: Metadata

Use metadata for attaching custom, user-defined attributes or tags to an identity for advanced policy, grouping, or informational purposes.

Values

  • "attributes": An object containing key-value pairs representing metadata attributes such as environment, owner, project, region, and others.

  • "description": (Optional) A string providing a human-readable description of the metadata or its purpose.

Example:

{
  "attributes": {
    "environment": "production",
    "owner": "dba-team",
    "region": "us-east-1"
  },
  "description": "Metadata for production database workloads in us-east-1"
}

Detailed Explanation

  • "attributes": An object containing arbitrary key-value pairs that represent metadata tags or properties. Use this to add contextual information to an identity, such as environment, owner, project, or region. This is useful for advanced policy enforcement, grouping, or filtering.

  • "description" (optional): A human-readable string describing the metadata or its intended use. Use this to provide additional context for administrators or automation.

For more information, see create policy that is critical for enabling secure workload attestation and enforcing trust requirements for the underlying platform, firmware, and workload.

Last updated

Was this helpful?