search
DocumentationTutorials

Create Policy

Learn to create a policy and register the policy

circle-info

Note:

If you started Nitride by using the vhsm nitride init command then, it performs a series of operations to configure and secure your environment:

  1. Creates essential Nitride identities, including: platform, firmware, and workload

  2. Creates and attaches a Nitride policy from an embedded policy configuration.

  3. Generates attestation objects based on your setup.

  4. Bootstraps the environment to allow secure workload attestation and the issuance of access tokens with the appropriate permissions.

  5. Ensure that you have set the environment variable: export VAULT_NAMESPACE=test to create a policy in the namespace test.

hashtag
Create a policy

Create a policy.json file that outlines the actions or capabilities and the resources or paths the identity is allowed to access after successful attestation. To create a policy that is attached to a provider see vhsm nitride policy -help command.

Example: Create a policy.json file using an editor of your choice. 

{
    "name": "nitride-policy",
    "identities": {
        "provider": "azure-sev-snp-vtpm",
        "platform": [
            {
                "name": "amd-sev-snp-milan-vcek"
            }
        ],
        "firmware": [
            {
                "name": "azure-dc2as-v5"
            }
        ],
        "workload": {
            "name": "azure-sev-snp-vtpm-ubuntu-jammy",
            "policy": {
                "hash": false,
                "pcrs.0": false
            }
        },
        "metadata": null
    }
}

Where:

  • "name": A string uniquely identifying the policy.

  • "identities": An object specifying the required identities for this policy.

  • "provider": The provider identity. For example, azure-sev-snp-vtpm.

  • "platform": An array of platform identity objects, see platform identity structure.

  • "firmware": An array of firmware identity objects, see firmware identity structure.

  • "workload": A workload identity object, see workload identity structure.

  • "metadata": (Optional) Additional metadata for the policy.

hashtag
Register the policy

Example:

The @policy.json syntax ensures that the CLI can read and embed the file contents directly into the request.

Output

hashtag
Verify that the policy was created

Example:

Output

You can also reference this policy in your attestation.json to bind it to specific identities. For more information, about updating, reading, or deleting policies, see vHSM Nitride CLI.

Last updated

Was this helpful?