Enable Namespacing

Learn to issue token for namespaces in a vHSM.

Tokens can be issued for namespaces. To enable this feature, use the -namespacing flag. The vhsm nitride init command simplifies the setup of vHSM by automating authentication, identity creation, policy enforcement, and attestation. The namespacing feature allows fine-grained access control across multiple namespaces.

Note:

Namespaced tokens have inlined policies.
The default policy can be overwritten with an HCL policy file.

Enable token namespacing with a policy file:

vhsm nitride init -namespacing @policy.hcl

Alternatively, pipe the policy file:

cat policy.hcl | vhsm nitride init -namespacing

This ensures that child namespaces can have distinct access control policies.

Example Setup with Namespaces

If the vHSM plugin is enabled in the root namespace, while workloads access resources in the GCP and azurenamespaces.

!. Initialize vHSM with token namespacing

vhsm nitride init -namespacing @policy.hcl

Enable authentication in the namespace root

vhsm auth enable -path=ratls ratls

Create identities in the root namespace

vhsm nitride identity create @platform.json
vhsm nitride identity create @firmware.json
vhsm nitride identity create @workload.json

Define policies in each namespace

vhsm nitride policy create @policy.json

Create attestations for each namespace.

Note: You only have one instance of the plugin enabled in root, and namespaces are assigned through the attestation. When you run nitride attestation create, the JSON can contain a namespace field. When this is set to gcp, the token is issued from root for gcp.

vhsm nitride attestation create @attestation.json

With this setup, tokens issued in root can reference and delegate access to workloads running in the gcp , and azurenamespaces. Each namespace can have its own policies and attestations.

Last updated 8 months ago

Was this helpful?