> For the complete documentation index, see [llms.txt](https://docs.enclaive.cloud/nitride/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.enclaive.cloud/nitride/tutorials/attestation-blueprint/create-policy.md). # Create Policy {% hint style="info" %} **Note**: If you started Nitride by using the `vhsm nitride init` command then, it performs a series of operations to configure and secure your environment: 1. Creates essential Nitride identities, including: platform, firmware, and workload 2. Creates and attaches a Nitride policy from an embedded policy configuration. 3. Generates attestation objects based on your setup. 4. Bootstraps the environment to allow secure workload attestation and the issuance of access tokens with the appropriate permissions. 5. Ensure that you have set the environment variable: `export VAULT_NAMESPACE=test` to create a policy in the namespace `test`. {% endhint %} ## Create a policy Create a `policy.json` file that outlines the actions or capabilities and the resources or paths the identity is allowed to access after successful attestation. To create a policy that is attached to a provider see `vhsm nitride policy -help` command. **Example**: Create a `policy.json` file using an editor of your choice. ```json { "name": "nitride-policy", "identities": { "provider": "azure-sev-snp-vtpm", "platform": [ { "name": "amd-sev-snp-milan-vcek" } ], "firmware": [ { "name": "azure-dc2as-v5" } ], "workload": { "name": "azure-sev-snp-vtpm-ubuntu-jammy", "policy": { "hash": false, "pcrs.0": false } }, "metadata": null } } ``` Where: * "name": A string uniquely identifying the policy. * "identities": An object specifying the required identities for this policy. * "provider": The provider identity. For example, azure-sev-snp-vtpm. * "platform": An array of platform identity objects, see [platform](/nitride/cli/identity/create.md#type-platform) identity structure. * "firmware": An array of firmware identity objects, see [firmware](/nitride/cli/identity/create.md#type-firmware) identity structure. * "workload": A workload identity object, see [workload](/nitride/cli/identity/create.md#type-workload) identity structure. * "metadata": (Optional) Additional metadata for the policy. ### Register the policy **Example:** ```bash vhsm nitride policy create @policy.json ``` The `@policy.json` syntax ensures that the CLI can read and embed the file contents directly into the request. **Output** ``` Key Value --- ----- created 1742820324 identities map[firmware:[map[name:azure-dc2asv5 policy:]] metadata: platform:[map[name:amd-sev-snp-milan-vcek policy:]] provider:azure-sev-snp-vtpm workload:] name nitride-policy ``` ### Verify that the policy was created **Example**: ``` vhsm nitride policy list -namespace=test ``` **Output** ``` Keys ---- aws-c6a.large azure-dc2asv5-raw gcp-small nitride-policy ``` You can also reference this policy in your `attestation.json` to bind it to specific identities. For more information, about updating, reading, or deleting policies, see[ vHSM Nitride CLI.](/nitride/cli/policy.md) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.enclaive.cloud/nitride/tutorials/attestation-blueprint/create-policy.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.