List Nitride identities, attestations, and policies

Learn to list the default identities, attestations, and policies

This tutorial walks you through the steps to list essential Nitride identities, including: platform, firmware, and workload. When you enable remote attestation using the vhsm nitride init command. It performs a series of operations to configure and secure your environment:

Creates essential Nitride identities, including: platform, firmware, and workload
Creates and attaches a Nitride policy from an embedded policy configuration.
Generates attestation objects based on your setup.
Bootstraps the environment to allow secure workload attestation and the issuance of access tokens with the appropriate permissions.

Prerequisites

Install and configure Nitride.
Install vHSM CLI.
Install curl and jq tools.
Log in as root user to use the vHSM CLI tool, else use the root token for vHSM instance to use curl.

To list the Nitride identities: 1. Use the curl or vHSM CLI to fetch the list of identities from the vHSM server. Ensure that you replace <root-token> with the actual root token of the vHSM server.

vhsm nitride identity list

curl -X GET "http://localhost:8200/v1/auth/ratls/identities/?list=true" \
    -H "Authorization: Bearer <root-token>" | jq

The output is similar to:

Keys
----
firmware/
platform/
workload/

{
  "request_id": "aeb3dafc-c896-70f5-dbdd-227b19f74a4b",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": {
    "keys": [
      "firmware/",
      "platform/",
      "workload/"
    ]
  },
  "wrap_info": null,
  "warnings": null,
  "auth": null
}

List the identities for firmware:

vhsm nitride identity list /firmware

curl -X GET "http://localhost:8200/v1/auth/ratls/identities/firmware?list=true" \
    -H "Authorization: Bearer <root-token>" | jq

The output is similar to:

Keys
----
aws-c6a.large/
azure-dc2asv5/
gcp-small/
local-test/

{
  "request_id": "2efd0320-4c9c-63a8-d1b9-389508db195c",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": {
    "keys": [
      "aws-c6a.large/",
      "azure-dc2asv5/",
      "gcp-small/",
      "local-test/"
    ]
  },
  "wrap_info": null,
  "warnings": null,
  "auth": null
}

List the identities for platform:

vhsm nitride identity list /platform

curl -X GET "http://localhost:8200/v1/auth/ratls/identities/platform?list=true" \
    -H "Authorization: Bearer hvs.2bHeBxvT3ts7vwuXBGzTpeYG" | jq

The output is similar to:

Keys
----
amd-sev-snp-genoa-vcek/
amd-sev-snp-genoa-vlek/
amd-sev-snp-milan-vcek/
amd-sev-snp-milan-vlek/

{
  "request_id": "9923337a-e613-6d54-c3bb-ab1c671e227e",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": {
    "keys": [
      "amd-sev-snp-genoa-vcek/",
      "amd-sev-snp-genoa-vlek/",
      "amd-sev-snp-milan-vcek/",
      "amd-sev-snp-milan-vlek/"
    ]
  },
  "wrap_info": null,
  "warnings": null,
  "auth": null
}

List the identities for workload :

vhsm nitride identity list /workload

curl -X GET "http://localhost:8200/v1/auth/ratls/identities/workload?list=true" \
    -H "Authorization: Bearer hvs.2bHeBxvT3ts7vwuXBGzTpeYG" | jq

The output is similar to:

Keys
----
vtpm-ubuntu/

{
  "request_id": "4cd6601a-c4b9-6c3e-28bb-6b6de64ba43b",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": {
    "keys": [
      "vtpm-ubuntu/"
    ]
  },
  "wrap_info": null,
  "warnings": null,
  "auth": null
}

Output Description

Field

Description

request_id

A unique identifier assigned to your specific request by the API. It's useful for tracking or debugging purposes on the server side.

lease_id

Often related to token leasing or secrets management systems. For this list operation, it's empty, indicating no associated lease.

renewable

Often related to token leasing or secrets management systems. For this list operation, it's false, indicating no associated lease.

lease_duration

Often related to token leasing or secrets management systems. For this list operation, it's zero, indicating no associated time limit.

data

This object contains the actual information you requested.

keys

This is an array that lists the available identity types that exist in the system.

wrap_info

This field is typically used for response wrapping, a security feature, and is null here, meaning the response is not wrapped.

warnings

This array would contain any non-critical warnings related to your request, but it's null here, indicating no warnings.

auth

This field would contain authentication-related information if applicable, but it's null here.

To learn more about how to create an identity or a policy for your environment, see Create or update identities, and Create or update policies.

Last updated 11 days ago

Was this helpful?

{ "request_id": "aeb3dafc-c896-70f5-dbdd-227b19f74a4b", "lease_id": "", "renewable": false, "lease_duration": 0, "data": { "keys": [ "firmware/", "platform/", "workload/" ] }, "wrap_info": null, "warnings": null, "auth": null }

{ "request_id": "2efd0320-4c9c-63a8-d1b9-389508db195c", "lease_id": "", "renewable": false, "lease_duration": 0, "data": { "keys": [ "aws-c6a.large/", "azure-dc2asv5/", "gcp-small/", "local-test/" ] }, "wrap_info": null, "warnings": null, "auth": null }

{ "request_id": "9923337a-e613-6d54-c3bb-ab1c671e227e", "lease_id": "", "renewable": false, "lease_duration": 0, "data": { "keys": [ "amd-sev-snp-genoa-vcek/", "amd-sev-snp-genoa-vlek/", "amd-sev-snp-milan-vcek/", "amd-sev-snp-milan-vlek/" ] }, "wrap_info": null, "warnings": null, "auth": null }

{ "request_id": "4cd6601a-c4b9-6c3e-28bb-6b6de64ba43b", "lease_id": "", "renewable": false, "lease_duration": 0, "data": { "keys": [ "vtpm-ubuntu/" ] }, "wrap_info": null, "warnings": null, "auth": null }