# auto\_auth #### Example: `auto_auth` ```hcl auto_auth { method "nitride" { # The path where the auth backend is mounted on the vHSM server mount_path = "ratls" # Retry configuration: how long to wait between auth attempts min_backoff = "1m" max_backoff = "2m" config = { # Confidential VM provider type provider = "azure-sev-snp-vtpm" # Workload ID registered with the vHSM server workload = "de40014e-0d56-409b-8217-75275b3d69d4" } } sink "file" { config = { # Path to store the vHSM token for other applications to use path = "/run/enclaive/vhsm-token" # Optional: mode can be specified to control file permissions # mode = "0600" } } # Optional parameters for advanced control wrap_ttl = "5m" exit_on_error = false } ``` ### Auth Method Block (`method`) Defines how the agent authenticates with the vHSM server. ```hcl method "nitride" { mount_path = "ratls" min_backoff = "1m" max_backoff = "2m" config = { provider = "azure-sev-snp-vtpm" workload = "de40014e-0d56-409b-8217-75275b3d69d4" } } ``` * **`method "nitride"` block** *(Block, Required)*\ Defines the authentication method the agent uses. Here it is `nitride`, which is required for **vHSM SEV-SNP attestation.** * **`mount_path`** *(String, Optional)*\ Specifies where the authentication method is mounted on the vHSM server. Commonly set to `ratls`. This path tells the agent where to send login requests. * **`min_backoff`** and **`max_backoff`** *(Duration string, Optional)*\ Configure retry behavior if authentication fails. * **`min_backoff`**: Initial wait time before retrying (e.g., `"1m"`). * **`max_backoff`**: Maximum wait time between retries (e.g., `"2m"`).\ The retry interval grows gradually within this range. * **`config` block** *(Object, Required inside method)*\ Contains method-specific settings for SEV-SNP authentication. * **`provider`** *(String, Required)*: Specifies the confidential VM provider type (for example, `azure-sev-snp-vtpm`). * **`workload`** *(String, Required)*: Identifies the workload UUID registered with the vHSM server.\ These values allow the agent to prove its identity and request a token. ## Sink Block (`sink`) Defines where the token is written after authentication. At least one sink is required. ```hcl sink "file" { config = { path = "/run/enclaive/vhsm-token" # mode = "0600" } } ``` * **`sink "file"` block** *(Block, At least one required)*\ Defines where the authentication token is written. Here, the sink is of type `"file"`, which writes the token to a local file. * **`path`** *(String, Required inside sink config)*\ Specifies the filesystem path where the token will be stored (e.g., `/run/enclaive/vhsm-token`). * **`mode`** *(String, Optional inside sink config)*\ File permission mode to apply to the token file (for example, `"0600"`). If not set, system defaults are used. ### Optional Parameters These parameters apply globally to the `auto_auth` block. ```hcl wrap_ttl = "5m" exit_on_error = false ``` * **`wrap_ttl`** *(Duration, Optional)*\ Wraps the response token with a limited TTL. This means the raw token details are hidden and only a wrapped response is exposed. Usually not needed for local file sinks. * **`exit_on_error`** *(Boolean, Optional)*\ Determines how the agent behaves on permanent authentication failure. * `true`: The agent exits immediately. * `false`: The agent continues retrying indefinitely and it is the default value.