Skip to content

Include Guest Attestation Extension and enable System Assigned MSI by default when Trusted Launch configuration is met #21395

New issue
New issue
Closed
#22048
Closed
Include Guest Attestation Extension and enable System Assigned MSI by default when Trusted Launch configuration is met#21395
#22048

Description

@sirfamelin

sirfamelin
openedon Feb 22, 2022

Is your feature request related to a problem? Please describe.
Trusted Launch VMs (GA in Nov 2021) are Gen 2 VMs with new security guarantees. The north star is to have all Gen 2 VMs created in Azure be Trusted Launch VMs - greatly improving the security posture of Azure and customer workloads. One feature of Trusted Launch that we need help driving user adoption is to lower the bar of entry of a critical feature that makes Trusted Launch VMs secure - the Guest Attestation Extension. Today, customer's are experiencing friction when installing the extension - either they do not know it exists or they have to manually install the extension post VM creation or they have to change their scripts to include an extra command to install the extension and enable MSI. The goal is to have the extension and MSI enabled when the VM configuration meets the Trusted Launch configuration without. requiring the customer to use another command.

Describe the solution you'd like
We want to ensure that the Guest Attestation extension is added to the VM object and MSI enabled at the Az Cli layer when the trusted launch config conditions are met without extra CLI commands or parameters, and without having to make changes to the rest-api-specs and SDK. In the case that the customer does not want to install the extension, we would like to introduce an optional parameter --disable-integrity-monitoring to the following CLI command interface:
Az vm create
Az vm update
Az vmss create
Az vmss update
In this case, the Guest Attestation extension as well as MSI should not be enabled even when the VM config matches the Trusted Launch config.

The extension details for Windows:
Name:
Publisher: Microsoft.Azure.Security.WindowsAttestation

The extension details for Linux:
Name: GuestAttestation
Publisher: Microsoft.Azure.Security.LinuxAttestation

Describe alternatives you've considered
An alternative that would be acceptable is the inverse of the preferred solution. In this case, we would want to add a parameter such as --enable-integrity-monitoring to the following:
Az vm create
Az vm update
Az vmss create
Az vmss update
In this case the customer would have to explicitly pass in the parameter --enable-integrity-monitoring to have the Guest Attestation extension installed and MSI enabled.

Additional context
The extension details for Windows:
Name:
Publisher: Microsoft.Azure.Security.WindowsAttestation

The extension details for Linux:
Name: GuestAttestation
Publisher: Microsoft.Azure.Security.LinuxAttestation

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

Labels

Computeaz vm/vmss/image/disk/snapshotfeature-request

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions