# auto\_auth #### Example: `auto_auth` ```hcl auto_auth { method "nitride" { # The path where the auth backend is mounted on the vHSM server mount_path = "ratls" # Retry configuration: how long to wait between auth attempts min_backoff = "1m" max_backoff = "2m" config = { # Confidential VM provider type provider = "azure-sev-snp-vtpm" # Workload ID registered with the vHSM server workload = "de40014e-0d56-409b-8217-75275b3d69d4" } } sink "file" { config = { # Path to store the vHSM token for other applications to use path = "/run/enclaive/vhsm-token" # Optional: mode can be specified to control file permissions # mode = "0600" } } # Optional parameters for advanced control wrap_ttl = "5m" exit_on_error = false } ``` ### Auth Method Block (`method`) Defines how the agent authenticates with the vHSM server. ```hcl method "nitride" { mount_path = "ratls" min_backoff = "1m" max_backoff = "2m" config = { provider = "azure-sev-snp-vtpm" workload = "de40014e-0d56-409b-8217-75275b3d69d4" } } ``` * **`method "nitride"` block** *(Block, Required)*\ Defines the authentication method the agent uses. Here it is `nitride`, which is required for **vHSM SEV-SNP attestation.** * **`mount_path`** *(String, Optional)*\ Specifies where the authentication method is mounted on the vHSM server. Commonly set to `ratls`. This path tells the agent where to send login requests. * **`min_backoff`** and **`max_backoff`** *(Duration string, Optional)*\ Configure retry behavior if authentication fails. * **`min_backoff`**: Initial wait time before retrying (e.g., `"1m"`). * **`max_backoff`**: Maximum wait time between retries (e.g., `"2m"`).\ The retry interval grows gradually within this range. * **`config` block** *(Object, Required inside method)*\ Contains method-specific settings for SEV-SNP authentication. * **`provider`** *(String, Required)*: Specifies the confidential VM provider type (for example, `azure-sev-snp-vtpm`). * **`workload`** *(String, Required)*: Identifies the workload UUID registered with the vHSM server.\ These values allow the agent to prove its identity and request a token. ## Sink Block (`sink`) Defines where the token is written after authentication. At least one sink is required. ```hcl sink "file" { config = { path = "/run/enclaive/vhsm-token" # mode = "0600" } } ``` * **`sink "file"` block** *(Block, At least one required)*\ Defines where the authentication token is written. Here, the sink is of type `"file"`, which writes the token to a local file. * **`path`** *(String, Required inside sink config)*\ Specifies the filesystem path where the token will be stored (e.g., `/run/enclaive/vhsm-token`). * **`mode`** *(String, Optional inside sink config)*\ File permission mode to apply to the token file (for example, `"0600"`). If not set, system defaults are used. ### Optional Parameters These parameters apply globally to the `auto_auth` block. ```hcl wrap_ttl = "5m" exit_on_error = false ``` * **`wrap_ttl`** *(Duration, Optional)*\ Wraps the response token with a limited TTL. This means the raw token details are hidden and only a wrapped response is exposed. Usually not needed for local file sinks. * **`exit_on_error`** *(Boolean, Optional)*\ Determines how the agent behaves on permanent authentication failure. * `true`: The agent exits immediately. * `false`: The agent continues retrying indefinitely and it is the default value. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.enclaive.cloud/nitride/tutorials/vhsm-agent/vhsm-agent-configurations/auto_auth.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.