Snippet which uses GCE Compute API to retrieve the ekCert encryption and signing keys per
The idea is that a remote verifier would first use the GCE API to retrieve the ekPub key and use that as a trust anchor for remote attestation.
As the owner of the VM, create a custom iam role: or just use roles/compute.viewer
- `shieldedViewer.yaml
title: ShieldedViewer
description: See ekPub for instance
stage: GA
includedPermissions:
- compute.instances.getShieldedInstanceIdentityexport PROJECT_ID=""
export INSTANCE_ID=""
export ZONE="us-central1-a"
gcloud iam roles create ShieldedViewer --project=$PROJECT_ID --file=shieldedViewer.yaml
gcloud compute instances add-iam-policy-binding $INSTANCE_ID \
--zone=$ZONE --member="user:verifier@anotherdomain.com" \
--role="projects/$PROJECT_ID/roles/ShieldedViewer"go run main.go --instanceID=$INSTANCE_ID --projectID=$PROJECT_ID --zone=$ZONEpackage main
import (
"context"
"flag"
"log"
"google.golang.org/api/compute/v1"
)
var (
projectID = flag.String("projectID", "", "ProjectID")
instanceID = flag.String("instanceID", "", "InstanceName or ID")
zone = flag.String("zone", "", "Zone where the instance resides")
)
func main() {
flag.Parse()
if *projectID == "" || *instanceID == "" || *zone == "" {
log.Fatalf("ERROR: must specify projectID, instanceID and zone")
}
ctx := context.Background()
computeService, err := compute.NewService(ctx)
if err != nil {
log.Fatalf("ERROR: Could not create Compute Engine API %v", err)
}
si, err := computeService.Instances.GetShieldedInstanceIdentity(*projectID, *zone, *instanceID).Do()
if err != nil {
log.Fatalf("ERROR: Could not find instanceID Using GCE API %s", *instanceID)
}
log.Printf("EKPub %s\n", si.EncryptionKey.EkPub)
}