Nitrogen - a tool for deploying web services to AWS Nitro Enclaves

Overview
Nitrogen logo

Nitrogen CLI

Discord

Nitrogen is a tool for deploying web services to AWS Nitro Enclaves. Given a dockerfile and an ssh key, Nitrogen will spin up an EC2, configure the network, and build and deploy your web service. You get back a hostname that’s ready to go. Nitrogen is fully open source and it comes with pre-built scripts for deploying popular services like Nginx, Redis, and MongoDB.

Install

Nitrogen can easily be installed with the following:

For Linux or Mac:

$ curl -fsSL https://raw.githubusercontent.com/capeprivacy/nitrogen/main/install.sh | sh

For Windows Powershell

$ iex (irm https://raw.githubusercontent.com/capeprivacy/nitrogen/main/install.ps1)

Note: An AWS account is required. If you have AWS cli configured you can retrieve your credentials with cat ~/.aws/credentials. See troubleshooting if your AWS account uses MFA

export AWS_ACCESS_KEY_ID=<YOUR ACCESS KEY>
export AWS_SECRET_ACCESS_KEY=<YOUR SECRET>

Commands

  • nitrogen setup
  • nitrogen build
  • nitrogen deploy
  • nitrogen logs
  • nitrogen delete

Features

  • Spins up any enclave supported EC2 instance type (with Nitro Enclaves enabled)
  • Creates a security group for a specified port.
  • Sets up SSH.
  • Runs a socat proxy from public internet (TCP) into the nitro enclave (VSOCK).
  • Builds any Dockerfile into an Enclave Image File (EIF).
  • Deploys any EIF and launches a nitro enclave.

Examples

Nginx Example

INFO nitrogen: User enclave information: name="nitrogen-test" instance_id="i-07daa284594ff02bc" public_ip="44.197.181.14" availability_zone="us-east-1b" public_dns="ec2-44-197-181-14.compute-1.amazonaws.com"">
$ nitrogen setup nitrogen-test ~/.ssh/id_rsa.pub --instance-type m5n.16xlarge
>  INFO nitrogen: Spinning up enclave instance 'nitrogen-test'.
>  INFO nitrogen::commands::setup: Successfully created enclave instance. stack_id="arn:aws:cloudformation:us-east-1:657861442343:stack/nitrogen-test/c93c7c80-5581-11ed-8a2b-0e2f3ffeccf1"
>  INFO nitrogen: User enclave information: name="nitrogen-test" instance_id="i-07daa284594ff02bc" public_ip="44.197.181.14" availability_zone="us-east-1b" public_dns="ec2-44-197-181-14.compute-1.amazonaws.com"
$ nitrogen build examples/nginx/
> Filename: nitrogen.eif
$ nitrogen deploy nitrogen-test ~/.ssh/id_rsa
> EIF is now running public_dns="ec2-1-234-56-789.compute-1.amazonaws.com:5000"
$ curl http://ec2-1-234-56-789.compute-1.amazonaws.com:5000/
> <!DOCTYPE html>
<html>
    <head>
        <title>Hello Nitrogen!</title>
    </head>
</html>

Nginx TLS Examples

See here.

Troubleshooting

If you have permissions issues and your aws account has MFA enabled then attempt to use a session token before running setup.

aws sts get-session-token --serial-number arn:aws:iam:::mfa/ --token-code 

Export the values printed from the above command:

export AWS_ACCESS_KEY_ID=
export AWS_SECRET_ACCESS_KEY=
export AWS_SESSION_TOKEN=

You can also use a helper script in this library called sts.sh. Warning: this will unset any AWS environment variables related to auth that you have already set in your shell.

. sts.sh   

If you wish to deploy the enclave in debug mode, use the "--debug-mode" flag during deploy. You can then log into the instance and view the enclave console, or use the nitrogen logs command.

Contributors

Thank you to @kalebpace for contributing the name for the nitrogen crate.

Comments
  • Support for arm architecture during releasing

    Support for arm architecture during releasing

    The tool we're using for releasing binaries doesn't support arm architecture on windows, linux or macos. We'll have to build up our own custom actions to build and then upload them to the release. We should be able to learn a few things from the action we're already using: https://github.com/rust-build/rust-build.action

    opened by justin1121 3
  • pull utility functions into a common module

    pull utility functions into a common module

    we've started using the cloudformation helpers from setup in a few different places, and I could see this continuing in the future for other commands (e.g. w/ #26). it might be more maintainable to pull out cloudformation utilities (and maybe even the various ssh commands) into a shared module

    opened by jvmncs 1
  • Add ability to turn on debug mode on the enclave

    Add ability to turn on debug mode on the enclave

    There's a flag in nitro-cli that enables the enclave to be debugged. We should add a flag to nitrogen to enable this. The flag is --debug-mode. Along with this we should consider adding tips on how to debug enclaves.

    opened by justin1121 1
  • Fix Dockerfile inference in nitrogen::build

    Fix Dockerfile inference in nitrogen::build

    Fixes the nitrogen::build command to look for the Dockerfile in the provided dockerfile_dir argument. Also adds a few slightly better log/error messages elsewhere

    opened by jvmncs 0
  • Add key command

    Add key command

    This generates a AWS KMS key with a policy that has the PCRs required by the KMS to perform attestation against decrypt requests.

    Example coming soon.

    opened by justin1121 0
Releases(v0.2.5)
Owner
Cape Privacy
Confidential Computing by Default
Cape Privacy
This repo is a sample video search app using AWS services.

Video Search This repo is a sample video search app using AWS services. You can check the demo on this link. Features Transcribing Video and generate

AWS Samples 8 Jan 5, 2023
Aws-sdk-rust - AWS SDK for the Rust Programming Language

The AWS SDK for Rust This repo contains the new AWS SDK for Rust (the SDK) and its public roadmap. Please Note: The SDK is currently released as a dev

Amazon Web Services - Labs 2k Jan 3, 2023
A tool to run web applications on AWS Lambda without changing code.

AWS Lambda Adapter A tool to run web applications on AWS Lambda without changing code. How does it work? AWS Lambda Adapter supports AWS Lambda functi

AWS Samples 321 Jan 2, 2023
Remote Secret Editor for AWS Secret Manager

Barberousse - Remote Secrets Editor About Usage Options Printing Editing Copying RoadMap 1.0 1.1 Future About A project aimed to avoid downloading sec

Mohamed Zenadi 18 Sep 28, 2021
Rust client for AWS Infinidash service.

AWS Infinidash - Fully featured Rust client Fully featured AWS Infinidash client for Rust applications. You can use the AWS Infinidash client to make

Rafael Carício 15 Feb 12, 2022
Rusoto is an AWS SDK for Rust

Rusoto is an AWS SDK for Rust You may be looking for: An overview of Rusoto AWS services supported by Rusoto API documentation Getting help with Rusot

null 2.6k Jan 3, 2023
Easy switch between AWS Profiles and Regions

AWSP - CLI To Manage your AWS Profiles! AWSP provides an interactive terminal to interact with your AWS Profiles. The aim of this project is to make i

KubeOps Skills 14 Dec 25, 2022
Simple fake AWS Cognito User Pool API server for development.

Fakey Cognito ?? Homepage Simple fake AWS Cognito API server for development. ✅ Implemented features AdminXxx on User Pools API. Get Started # run wit

naokirin 4 Aug 30, 2022
Postgres proxy which allows tools that don't natively supports IAM auth to connect to AWS RDS instances.

rds-iamauth-proxy rds-proxy lets you make use of IAM-based authentication to AWS RDS instances from tools that don't natively support that method of a

Gold Fig Labs Inc. 10 Nov 7, 2022
Cookiecutter templates for Serverless applications using AWS SAM and the Rust programming language.

Cookiecutter SAM template for Lambda functions in Rust This is a Cookiecutter template to create a serverless application based on the Serverless Appl

AWS Samples 24 Nov 11, 2022
📦 🚀 a smooth-talking smuggler of Rust HTTP functions into AWS lambda

lando ?? maintenance mode ahead ?? As of this announcement AWS not officialy supports Rust through this project. As mentioned below this projects goal

Doug Tangren 68 Dec 7, 2021
Ref Arch: Serverless GraphQL in Rust on AWS

A Whole Hog Reference Architecture for an Apollo Federation-Ready, Serverless, Rust-Based GraphQL Microservice on AWS using Cloud Development Kit (CDK)

Michael Edelman 3 Jan 12, 2022
cargo-lambda a Cargo subcommand to help you work with AWS Lambda

cargo-lambda cargo-lambda is a Cargo subcommand to help you work with AWS Lambda. This subcommand compiles AWS Lambda functions natively and produces

David Calavera 184 Jan 5, 2023
cargo-lambda is a Cargo subcommand to help you work with AWS Lambda.

cargo-lambda cargo-lambda is a Cargo subcommand to help you work with AWS Lambda. The new subcommand creates a basic Rust package from a well defined

null 184 Jan 5, 2023
A Rust runtime for AWS Lambda

Rust Runtime for AWS Lambda This package makes it easy to run AWS Lambda Functions written in Rust. This workspace includes multiple crates: lambda-ru

Amazon Web Services - Labs 2.4k Dec 29, 2022
Managing schema for AWS Athena in GitOps-style

athena-rs Managing AWS Athena Schemas Installation $ cargo install --git https://github.com/duyet/athena-rs $ athena --help athena 0.1.0 Duyet <me@du

Duyet Le 3 Sep 25, 2022
Serverless search for AWS.

Pathery ?? Serverless Search ?? Pathery is a serverless search service built on AWS using Rust, CDK and Tantivy. ?? WARNING: This is currently a work

Tyler van Hensbergen 40 Jan 3, 2023
This repo scans pypi, rubygems and hexpm for AWS keys

What is this? This is a project to try to detect any AWS access keys that are accidentally uploaded to the Python Package Index (PyPi). New uploads ar

Tom Forbes 80 Jan 28, 2023
Backup a folder to AWS S3, once or periodically

awsbck This utility lets you compress a folder and upload it to a AWS S3 bucket, once or periodically. Disclaimer This software is in a beta stage and

Valentin Bersier 4 Feb 11, 2023