Quickstart: Create an Azure Attestation provider with an ARM template

Microsoft Azure Attestation is a solution for attesting Trusted Execution Environments (TEEs). This quickstart focuses on the process of deploying an Azure Resource Manager template (ARM template) to create a Microsoft Azure Attestation policy.

An Azure Resource Manager template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. The template uses declarative syntax. You describe your intended deployment without writing the sequence of programming commands to create the deployment.

If your environment meets the prerequisites and you're familiar with using ARM templates, select the Deploy to Azure button. The template will open in the Azure portal.

Deploy To Azure 1

Prerequisites

If you don't have an Azure subscription, create a free account before you begin.

Review the template

The template used in this quickstart is from Azure Quickstart Templates.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "metadata": {
    "_generator": {
      "name": "bicep",
      "version": "0.25.53.49325",
      "templateHash": "1187521685481570330"
    }
  },
  "parameters": {
    "attestationProviderName": {
      "type": "string",
      "defaultValue": "[uniqueString(resourceGroup().name)]",
      "metadata": {
        "description": "Name of the Attestation provider. Must be between 3 and 24 characters in length and use numbers and lower-case letters only."
      }
    },
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "Location for all resources."
      }
    },
    "policySigningCertificates": {
      "type": "string",
      "defaultValue": ""
    }
  },
  "variables": {
    "PolicySigningCertificates": {
      "PolicySigningCertificates": {
        "keys": [
          {
            "kty": "RSA",
            "use": "sig",
            "x5c": [
              "[parameters('policySigningCertificates')]"
            ]
          }
        ]
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.Attestation/attestationProviders",
      "apiVersion": "2021-06-01",
      "name": "[parameters('attestationProviderName')]",
      "location": "[parameters('location')]",
      "properties": "[if(empty(parameters('policySigningCertificates')), json('{}'), variables('PolicySigningCertificates'))]"
    }
  ],
  "outputs": {
    "attestationName": {
      "type": "string",
      "value": "[resourceId('Microsoft.Attestation/attestationProviders', parameters('attestationProviderName'))]"
    },
    "location": {
      "type": "string",
      "value": "[parameters('location')]"
    },
    "resourceGroupName": {
      "type": "string",
      "value": "[resourceGroup().name]"
    },
    "resourceId": {
      "type": "string",
      "value": "[resourceId('Microsoft.Attestation/attestationProviders', parameters('attestationProviderName'))]"
    }
  }
}

Azure resources defined in the template:

  • Microsoft.Attestation/attestationProviders

Deploy the template

  1. Select the following image to sign in to Azure and open the template.

    Button to deploy the Resource Manager template to Azure.

  2. Select or enter the following values.

    Unless it's specified, use the default value to create the attestation provider.

    • Attestation Provider Name: Select a name for your Azure Attestation provider.
    • Location: Select a location. For example, Central US.
    • Tags: Select a location. For example, Central US.
  3. Select Purchase. After the attestation resource has been deployed successfully, you get a notification.

The Azure portal is used to deploy the template. In addition to the Azure portal, you can also use the Azure PowerShell, Azure CLI, and REST API. To learn other deployment methods, see Deploy templates.

Review deployed resources

You can use the Azure portal to check the attestation resource.

Clean up resources

Other Azure Attestation build upon this quickstart. If you plan to continue on to work with subsequent quickstarts and tutorials, you may wish to leave these resources in place.

When no longer needed, delete the resource group, which deletes the Attestation resource. To delete the resource group by using Azure CLI or Azure PowerShell:

echo "Enter the Resource Group name:" &&
read resourceGroupName &&
az group delete --name $resourceGroupName &&
echo "Press [ENTER] to continue ..."

Next steps

In this quickstart, you created an attestation resource using an ARM template, and validated the deployment. To learn more about Azure Attestation, see Overview of Azure Attestation.