Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Get started with Azure Attestation by using Azure CLI.
Prerequisites
If you don't have an Azure subscription, create a free account before you begin.
Get started
Install this extension using the below CLI command
az extension add --name attestationCheck the version
az extension show --name attestation --query versionUse the following command to sign into Azure:
az loginIf needed, switch to the subscription for Azure Attestation:
az account set --subscription 00000000-0000-0000-0000-000000000000Register the Microsoft.Attestation resource provider in the subscription with the az provider register command:
az provider register --name Microsoft.AttestationFor more information about Azure resource providers, and how to configure and manage them, see Azure resource providers and types.
Note
You only need to register a resource provider once for a subscription.
Create a resource group for the attestation provider. You can put other Azure resources in the same resource group, including a virtual machine with a client application instance. Run the az group create command to create a resource group, or use an existing resource group:
az group create --name attestationrg --location uksouth
Create and manage an attestation provider
Here are commands you can use to create and manage the attestation provider:
Run the az attestation create command to create an attestation provider without policy signing requirement:
az attestation create --name "myattestationprovider" --resource-group "MyResourceGroup" --location westusRun the az attestation show command to retrieve attestation provider properties such as status and AttestURI:
az attestation show --name "myattestationprovider" --resource-group "MyResourceGroup"This command displays values like the following output:
Id:/subscriptions/MySubscriptionID/resourceGroups/MyResourceGroup/providers/Microsoft.Attestation/attestationProviders/MyAttestationProvider Location: MyLocation ResourceGroupName: MyResourceGroup Name: MyAttestationProvider Status: Ready TrustModel: AAD AttestUri: https://MyAttestationProvider.us.attest.azure.net Tags: TagsTable:
You can delete an attestation provider by using the az attestation delete command:
az attestation delete --name "myattestationprovider" --resource-group "sample-resource-group"
Policy management
Use the commands described here to provide policy management for an attestation provider, one attestation type at a time.
The az attestation policy show command returns the current policy for the specified TEE:
az attestation policy show --name "myattestationprovider" --resource-group "MyResourceGroup" --attestation-type SGX-IntelSDK
Note
The command displays the policy in both text and JWT format.
The following are supported TEE types:
SGX-IntelSDKSGX-OpenEnclaveSDKTPM
Use the az attestation policy set command to set a new policy for the specified attestation type.
To set policy in text format for a given kind of attestation type using file path:
az attestation policy set --name testatt1 --resource-group testrg --attestation-type SGX-IntelSDK --new-attestation-policy-file "{file_path}"
To set policy in JWT format for a given kind of attestation type using file path:
az attestation policy set --name "myattestationprovider" --resource-group "MyResourceGroup" \
--attestation-type SGX-IntelSDK -f "{file_path}" --policy-format JWT