| title | description | services | author | ms.service | ms.topic | ms.date | ms.author | ms.custom | ms.devlang |
|---|---|---|---|---|---|---|---|---|---|
Set up Azure Attestation with Azure CLI |
How to set up and configure an attestation provider using Azure CLI. |
attestation |
msmbaldwin |
attestation |
quickstart |
11/20/2020 |
mbaldwin |
mode-api, devx-track-azurecli |
azurecli |
Get started with Azure Attestation by using Azure CLI.
If you don't have an Azure subscription, create a free account before you begin.
-
Install this extension using the below CLI command
az extension add --name attestation -
Check the version
az extension show --name attestation --query version -
Use the following command to sign into Azure:
az login -
If needed, switch to the subscription for Azure Attestation:
az account set --subscription 00000000-0000-0000-0000-000000000000 -
Register the Microsoft.Attestation resource provider in the subscription with the az provider register command:
az provider register --name Microsoft.AttestationFor more information about Azure resource providers, and how to configure and manage them, see Azure resource providers and types.
[!NOTE] You only need to register a resource provider once for a subscription.
-
Create a resource group for the attestation provider. You can put other Azure resources in the same resource group, including a virtual machine with a client application instance. Run the az group create command to create a resource group, or use an existing resource group:
az group create --name attestationrg --location uksouth
Here are commands you can use to create and manage the attestation provider:
-
Run the az attestation create command to create an attestation provider without policy signing requirement:
az attestation create --name "myattestationprovider" --resource-group "MyResourceGroup" --location westus -
Run the az attestation show command to retrieve attestation provider properties such as status and AttestURI:
az attestation show --name "myattestationprovider" --resource-group "MyResourceGroup"This command displays values like the following output:
Id:/subscriptions/MySubscriptionID/resourceGroups/MyResourceGroup/providers/Microsoft.Attestation/attestationProviders/MyAttestationProvider Location: MyLocation ResourceGroupName: MyResourceGroup Name: MyAttestationProvider Status: Ready TrustModel: AAD AttestUri: https://MyAttestationProvider.us.attest.azure.net Tags: TagsTable:
You can delete an attestation provider by using the az attestation delete command:
az attestation delete --name "myattestationprovider" --resource-group "sample-resource-group"
Use the commands described here to provide policy management for an attestation provider, one attestation type at a time.
The az attestation policy show command returns the current policy for the specified TEE:
az attestation policy show --name "myattestationprovider" --resource-group "MyResourceGroup" --attestation-type SGX-IntelSDK
Note
The command displays the policy in both text and JWT format.
The following are supported TEE types:
SGX-IntelSDKSGX-OpenEnclaveSDKTPM
Use the az attestation policy set command to set a new policy for the specified attestation type.
To set policy in text format for a given kind of attestation type using file path:
az attestation policy set --name testatt1 --resource-group testrg --attestation-type SGX-IntelSDK --new-attestation-policy-file "{file_path}"
To set policy in JWT format for a given kind of attestation type using file path:
az attestation policy set --name "myattestationprovider" --resource-group "MyResourceGroup" \
--attestation-type SGX-IntelSDK -f "{file_path}" --policy-format JWT