Create Policy

Learn to create a policy and register the policy

Note:

If you started Nitride by using the vhsm nitride init command then, it performs a series of operations to configure and secure your environment:

Creates essential Nitride identities, including: platform, firmware, and workload
Creates and attaches a Nitride policy from an embedded policy configuration.
Generates attestation objects based on your setup.
Bootstraps the environment to allow secure workload attestation and the issuance of access tokens with the appropriate permissions.
Ensure that you have set the environment variable: export VAULT_NAMESPACE=test to create a policy in the namespace test.

Create a policy

Create a policy.json file that outlines the actions or capabilities and the resources or paths the identity is allowed to access after successful attestation. To create a policy that is attached to a provider see vhsm nitride policy -help command.

Example: Create a policy.json file using an editor of your choice.

{
    "name": "nitride-policy",
    "identities": {
        "provider": "azure-sev-snp-vtpm",
        "platform": [
            {
                "name": "amd-sev-snp-milan-vcek"
            }
        ],
        "firmware": [
            {
                "name": "azure-dc2as-v5"
            }
        ],
        "workload": {
            "name": "azure-sev-snp-vtpm-ubuntu-jammy",
            "policy": {
                "hash": false,
                "pcrs.0": false
            }
        },
        "metadata": null
    }
}

Where:

"name": A string uniquely identifying the policy.
"identities": An object specifying the required identities for this policy.
"provider": The provider identity. For example, azure-sev-snp-vtpm.
"platform": An array of platform identity objects, see platform identity structure.
"firmware": An array of firmware identity objects, see firmware identity structure.
"workload": A workload identity object, see workload identity structure.
"metadata": (Optional) Additional metadata for the policy.

Register the policy

Example:

vhsm nitride policy create @policy.json

The @policy.json syntax ensures that the CLI can read and embed the file contents directly into the request.

Output

Key           Value
---           -----
created       1742820324
identities    map[firmware:[map[name:azure-dc2asv5 policy:<nil>]] metadata:<nil> platform:[map[name:amd-sev-snp-milan-vcek policy:<nil>]] provider:azure-sev-snp-vtpm workload:<nil>]
name          nitride-policy

Verify that the policy was created

Example:

vhsm nitride policy list -namespace=test

Output

Keys
----
aws-c6a.large
azure-dc2asv5-raw
gcp-small
nitride-policy

You can also reference this policy in your attestation.json to bind it to specific identities. For more information, about updating, reading, or deleting policies, see vHSM Nitride CLI.

Last updated 5 months ago

Was this helpful?