search
DocumentationTutorials

auto_auth

Learn about the various parameters in the auto_auth block of the configuration file.

hashtag
Example: auto_auth 

auto_auth {
  method "nitride" {
    # The path where the auth backend is mounted on the vHSM server
    mount_path = "ratls"

    # Retry configuration: how long to wait between auth attempts
    min_backoff = "1m"
    max_backoff = "2m"

    config = {
      # Confidential VM provider type
      provider = "azure-sev-snp-vtpm"

      # Workload ID registered with the vHSM server
      workload = "de40014e-0d56-409b-8217-75275b3d69d4"
    }
  }

  sink "file" {
    config = {
      # Path to store the vHSM token for other applications to use
      path = "/run/enclaive/vhsm-token"
      # Optional: mode can be specified to control file permissions
      # mode = "0600"
    }
  }

  # Optional parameters for advanced control
  wrap_ttl      = "5m"
  exit_on_error = false
}

hashtag
Auth Method Block (method)

Defines how the agent authenticates with the vHSM server.

  • method "nitride" block (Block, Required) Defines the authentication method the agent uses. Here it is nitride, which is required for vHSM SEV-SNP attestation.

  • mount_path (String, Optional) Specifies where the authentication method is mounted on the vHSM server. Commonly set to ratls. This path tells the agent where to send login requests.

  • min_backoff and max_backoff (Duration string, Optional) Configure retry behavior if authentication fails.

    • min_backoff: Initial wait time before retrying (e.g., "1m").

    • max_backoff: Maximum wait time between retries (e.g., "2m"). The retry interval grows gradually within this range.

  • config block (Object, Required inside method) Contains method-specific settings for SEV-SNP authentication.

    • provider (String, Required): Specifies the confidential VM provider type (for example, azure-sev-snp-vtpm).

    • workload (String, Required): Identifies the workload UUID registered with the vHSM server. These values allow the agent to prove its identity and request a token.

hashtag
Sink Block (sink)

Defines where the token is written after authentication. At least one sink is required.

  • sink "file" block (Block, At least one required) Defines where the authentication token is written. Here, the sink is of type "file", which writes the token to a local file.

  • path (String, Required inside sink config) Specifies the filesystem path where the token will be stored (e.g., /run/enclaive/vhsm-token).

  • mode (String, Optional inside sink config) File permission mode to apply to the token file (for example, "0600"). If not set, system defaults are used.

hashtag
Optional Parameters

These parameters apply globally to the auto_auth block.

  • wrap_ttl (Duration, Optional) Wraps the response token with a limited TTL. This means the raw token details are hidden and only a wrapped response is exposed. Usually not needed for local file sinks.

  • exit_on_error (Boolean, Optional) Determines how the agent behaves on permanent authentication failure.

    • true: The agent exits immediately.

    • false: The agent continues retrying indefinitely and it is the default value.

Last updated

Was this helpful?