> For the complete documentation index, see [llms.txt](https://docs.enclaive.cloud/virtual-hsm/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.enclaive.cloud/virtual-hsm/tutorials/provisioning-mariadb-password-on-azure-dcxas_v5-vm.md). # Provisioning MariaDB Password on Azure DCXas\_v5 VM Confidential computing revolutionizes workload security by assigning unique identities to workloads running in enclaves. With Nitride, this concept extends to workload identity management. Instead of traditional user authentication, a Buckypaper VM performs attestation—similar to user authentication but for workloads—to verify its authorization with Nitride, the workload identity provider. This ensures secure access to the Vault key management service. In Nitride, policies govern workload identity verification and define access privileges, enhancing security and control in confidential environments. The Buckypaper secret engine in vHSM is enabled by default on [vault.enclaive.cloud](https://vault.enclaive.cloud/). You can use this vHSM to generate, store, and manage cryptographic keys seamlessly. For more information see, [Registering a buckypaper plugin](/virtual-hsm/tutorials/registering-a-buckypaper-plugin.md) in a vHSM if you are using your own instance. #### Prerequisites * Create a[ Buckypaper VM ](https://docs.enclaive.cloud/enclaive-multi-cloud-platform/tutorials/buckypaper/create-a-buckypaper-vm)with Azure DCXas\_v5 VM as the cloud service provider * Installed Docker in the Buckypaper VM * Install [vHSM CLl](/virtual-hsm/documentation/setup/installation.md#downloading-the-cli) in the Buckypaper VM * To generate a dynamic secret for MariaDB, log in to [vault.enclaive.cloud](https://vault.enclaive.cloud/) or a vHSM server with buckypaper plugin enabled and then authenticate using your credentials. * [Install vHSM ](/virtual-hsm/documentation/setup/installation.md#installing-vhsm)on your local computer if you are using your own instance of vHSM for attestation. To attest and provision MariaDB password on Azure DCXas\_v5 Virtual Machine: 1. [Create and Verify the attestation](#create-and-verify-the-attestation) 2. [Generate a dynamic secret](#generate-a-dynamic-secret-for-mariadb) 3. [Start a MariaDB container](#start-a-mariadb-container) {% hint style="info" %} **Note:** If you are using your own instance of vHSM server you need to set up the default authentication, identities, and policies using the command: `vhsm nitride init` {% endhint %} ### **Create and Verify the attestation** Perform these steps in the Buckypaper Virtual Machine to create attestation and obtain the login token. 1. Create a `attestation.json` file with the following content as vHSM-Nitride admin or user. ``` { "name": "Azure MariaDB", "description": "A small Azure VM running MariaDB", "events": "http://localhost:8000", "policy": "azure-dc2asv5-raw" } ``` 2. Create a attestation workload for the provider `azure-sev-snp-vtpm` using: `vhsm nitride attestation create @attestation.json` . The output is similar to: ``` Key Value --- ----- created 1743342924 description A small Azure VM running MariaDB events http://localhost:8000 name Azure MariaDB namespace n/a nonce n/a policy azure-dc2asv5-raw updated 0 uuid 3baaa53a-3128-473c-9afa-cc7bec68abf3 ``` {% hint style="info" %} **Note**: Make a note of the workload uuid. {% endhint %} 3. Verify that attestation was successful for the provider using: `vhsm nitride attestation -provider=azure-sev-snp-vtpm report ` The output is similar to: ``` Key Value --- ----- token hvs.CAESIHwVECmidfgE5KgKQgutQjfTFpqEBheHxUS1uYcAZzAgGh4KHGh2cy5ZSVZWbWZtaVo5VU5iMEJxU1dFb0hUckk token_accessor bE3QPJX5YRP4ATOEdyx6sFNT token_duration 768h token_renewable false token_policies ["default" "enclaive-attested"] identity_policies [] policies ["default" "enclaive-attested"] token_meta_measurement ffd92c5d5207afadf3b93be300060a98f9b96bd2a1300c97f1042f2b5f313b964ffc3c14645a7b706c5f6fe5ccfa51d7 token_meta_namespace n/a token_meta_workload 3baaa53a-3128-473c-9afa-cc7bec68abf3 created 1743342924 description A small Azure VM running MariaDB events http://localhost:8000 name Azure MariaDB namespace n/a nonce n/a policy azure-dc2asv5-raw updated 1743343032 uuid 3baaa53a-3128-473c-9afa-cc7bec68abf3 ``` ### **Generate a dynamic secret for MariaDB** {% hint style="info" %} **Note**: Use the login token from Buckypaper VM to access and retrieve secrets from the Buckypaper secret engine. {% endhint %} Perform these steps in a terminal of the local computer where you have set the VAULT\_ADDR=''. 1. Generate a dynamic secret : `vhsm read buckypaper/data/workload/env/MARIADB_PASSWORD dynamic=true` ``` Key Value --- ----- data map[value:WHPUGFGF7DIG75CVGVCEXXNPXDGTKLONWM5DI5N4F3UA7NNXXMBA] metadata map[created_time:2025-03-31T10:57:38.182817117Z custom_metadata: deletion_time: destroyed:false version:1] ``` {% hint style="info" %} **Note**: The value shown under the `data` key represents the dynamically created secret. In this example, the secret is **WHPUGFGF7DIG75CVGVCEXXNPXDGTKLONWM5DI5N4F3UA7NNXXMBA**. {% endhint %} ### Start a MariaDB container 1. Start a docker container running MariaDB by passing the secret. ``` docker run -d --name mariadb \ -e MARIADB_ROOT_PASSWORD= \ mariadb:latest ``` 2. Verify that the password is set. ```bash docker exec -it mariadb mariadb -p ``` **Example Output:** ``` Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 3 Server version: 11.7.2-MariaDB-ubu2404 mariadb.org binary distribution Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> ``` You have successfully attested a Virtual Machine and generated a MariaDB password using the Buckypaper secrets engine. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.enclaive.cloud/virtual-hsm/tutorials/provisioning-mariadb-password-on-azure-dcxas_v5-vm.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.