/azure-attestation-scripts

The scripts used to access and test Azure Attestation

Primary LanguageCApache License 2.0Apache-2.0

Azure Attestation Scripts

Purpose

These scripts are used to build and test Azure Attestation through Azure CLI and REST APIs under the Isolated and AAD trust models. The "Isloated" trust model is enabled only if the root policy signing certificate is imported along with the creation of MAA instance. By default, the "AAD" trust model is used.

Preparation

Please modify env.sh.in according to your Azure subscription and save it as env.sh, then run:

source env.sh

In the following steps, you need to manually create the policy signing keys for "Isolated" trust model. Using "AAD" trust model can omit the following steps.

Next step is to create a root policy signing certificate and create a MAA instance with it, such as:

openssl genrsa -out root_policy_signing_private_key.pem 2048
openssl req -x509 -new -key root_policy_signing_private_key.pem \
  -out root_policy_signing_cert.pem -days 3650
az attestation create \
  --name $AZURE_MAA_CUSTOM_RESOURCE_NAME \
  --resource-group $AZURE_RESOURCE_GROUP \
  --location $AZURE_RESOURCE_GROUP_LOCATION \
  --certs-input-path root_policy_signing_cert.pem

The last step is to create a policy signing certificate used to sign a policy, such as:

openssl genrsa -out my_policy_signing_private_key.pem 2048
openssl req -x509 -new -key my_policy_signing_private_key.pem \
  -out my_policy_signing_cert.pem -days 3650

Note: all the resulting *.pem will be used by the scripts.

Usage

For a quick start, simply run ci_test.sh to validate Azure Attestation functions.

You can also run a single script to execute the specified function.