A CLI tool for Tenants to use and access services provided by Intel Trust Authority.
Ubuntu LTS 20.04
-
Installing make and makeself
- Run the following command:
apt -y install make makeself -
Installing golang
- Supported golang version is 1.21.0
- Go through the following link to install golang: https://go.dev/doc/install
-
Add the local binary path, namely $HOME/.local/bin/, to your PATH environment variable if not already present
- git clone https://github.com/intel/trustauthority-cli.git trustauthority-cli
- cd trustauthority-cli and run "make installer"
- copy the binary installer trustauthorityctl-{version}.bin to the system where it needs to be deployed
- create an env file trustauthorityctl.env in your home directory and add the following mandatory contents:
a. TRUSTAUTHORITY_URL=< URL for Intel Trust Authority >
b. TRUSTAUTHORITY_API_KEY="< Admin API Key of the Tenant >" - run "./trustauthorityctl-{version}.bin". This will install the CLI to your system.
- use the CLI: trustauthorityctl < command > < resource >
All files are stored in user's home directory. Following are the details:
- Configuration: $HOME/.config/trustauthorityctl/config.yaml
- Logs: $HOME/.config/trustauthorityctl/logs/trustauthorityctl.log
- Bin: $HOME/.local/bin/trustauthorityctl
Note: If you cannot access the command, add the binary path to the PATH env variable
Note: Request ID could be a randomly generated string of at most 128 bytes which can work as a unique identifier for each CRUD operation. This can be provided as an optional parameter to all the CRUD commands only.
- trustauthorityctl uninstall
- trustauthorityctl config -v < env file path >
- trustauthorityctl completion
- trustauthorityctl version
trustauthorityctl create user -q < request id > -e < email Id> -r < Role (Tenant Admin/User) >
trustauthorityctl list user -q < request id >
trustauthorityctl list user -q < request id > -e
trustauthorityctl update user role -q < request id > -u < user id > -r < Role (Tenant Admin/User) >
trustauthorityctl delete user -q < request id > -u < user id >
trustauthorityctl delete tag -q < request id > -t < tag id >
trustauthorityctl list serviceOffer
trustauthorityctl list plan -q < request id > -r < service offer id >
trustauthorityctl list plan -q < request id > -r < service offer id > -p < plan id >
trustauthorityctl list product -q < request id > -r < service offer id >
trustauthorityctl list service -q < request id >
trustauthorityctl list service -q < request id > -r < service Id >
trustauthorityctl create apiClient -q < request id > -r < service id > -p < product id > -n < api client name > -i "comma separated policy Ids" -v "tag-key1:tag-value1,tag-key2:tag-value2"
trustauthorityctl update apiClient -q < request id > -r < service id > -p < product id > -c < api client id > -i "comma separated policy Ids" -v "tag-key1:tag-value1,tag-key2:tag-value2" -s < Active/Inactive/Cancelled >
trustauthorityctl list apiClient -q < request id > -r < service id >
trustauthorityctl list apiClient -q < request id > -r < service id > -c < api client id >
trustauthorityctl delete apiClient -q < request id > -r < service id > -c < api client id >
trustauthorityctl create tag -q < request id > -n < tag name >
trustauthorityctl list tag -q < request id >
trustauthorityctl list apiClient policy -q < request id > -r < service id > -c < api client id >
trustauthorityctl list apiClient tag -q < request id > -r < service id > -c < api client id >
trustauthorityctl update tenant-settings -q < request id > -e < email id >
trustauthorityctl update tenant-settings -q < request id > -d
trustauthorityctl list tenant-settings -q < request id >
trustauthorityctl create policy -q < request id > -n < name of policy > -t < policy type > -a < attestation type > -r < service offer id > -f < rego policy file path > Note: Policy file size should be <= 10KB
trustauthorityctl list policy -q < request id >
trustauthorityctl list policy -q < request id > -p < policy id >
trustauthorityctl delete policy -q < request id > -p < policy id >
trustauthorityctl update policy -q < request id > -i < policy id > -n < name of policy > -f < rego policy file path > Note: Policy file size should be <= 10KB
- Sample rego policy for create/update policy command:
default matches_sgx_policy = false
matches_sgx_policy = true
{ input.sgx_is_debuggable == false
input.sgx_isvsvn == 0
input.sgx_isvprodid == 0
input.sgx_mrsigner == \"d412a4f07ef83892a5915fb2ab584be31e186e5a4f95ab5f6950fd4eb8694d7b\"
input.sgx_mrenclave == \"bab91f200038076ac25f87de0ca67472443c2ebe17ed9ba95314e609038f51ab\"
} trustauthorityctl create policy-jwt -q < request id > -f < rego policy file path > -p < signing key path > -c < cert path > -a < algorithm > -s
Create self signed key and certificate for policy JWT token creation:
- Generate key and cert files for -algorithm (PS384 | RS384) (Recommend)
openssl req -x509 -nodes -days 365 -newkey rsa:3072 -keyout ta-jwt.key -out ta-jwt.crt
- Generate key and cert files for -algorithm (PS256 | RS256)
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ta-jwt.key -out ta-jwt.crt
- Signed policy token could be self verified at jwt.io
- Output file name of this command is input policy file name suffixed with ".signed.current_timestamp.txt" extension
- Policy payload for Trust Authority uses rego format which is different from Azure MAA
- Supported signing algorithms are "RS256", "PS256", "RS384", "PS384", default algorithm is PS384
- The signing algorithm needs to match the certificate algorithm