Skip to main content

Amazon Web Services

When deploying Polaris on AWS, you will be asked to configure several parameters for the Docker container running your workload.

  • Custom Workload Image (CustomWorkloadImage): Specify the full URL of the Docker image to run inside the Polaris enclave (e.g., my-registry.io/my-app:latest).
  • Private Registry Credentials: If your image is in a private registry that is not Amazon ECR, you can provide the CustomWorkloadImageRegistryLoginServer, CustomWorkloadImageRegistryUsername, and CustomWorkloadImageRegistryPassword. For ECR, it is recommended to leave these blank and ensure the EC2 instance has the appropriate IAM role to pull the image.
  • Environment Variables (CustomWorkloadEnvironmentVariables): Provide any environment variables required by your application as a JSON object (e.g., {"API_KEY": "12345", "MODE": "production"}). These will be passed to the Docker container at runtime.
  • Workload Port (CustomWorkloadPort): The port your application must listen on inside the container to receive traffic from the Polaris Proxy.

Nitro Enclaves Requirements

When preparing your workload for AWS Nitro Enclaves, keep in mind the following:

  • Self-Contained Image: Your Docker image must include all code, models, and dependencies. The enclave has no internet or VPC access and cannot download or install anything at runtime.
  • No Persistent Storage: The enclave environment is ephemeral. All data inside the enclave is lost when it stops or restarts.
  • Pre-installed Libraries: All required libraries and tools must be pre-installed in the Docker image.
info

Currently, Python and Java applications are officially supported in AWS Nitro Enclaves. Other runtimes may work if they are properly packaged and the entrypoint/command is set correctly using the CustomWorkloadCommand parameter.

Debugging

You can connect to the EC2 instance via SSH to troubleshoot the enclave. Useful commands include:

# List all running enclaves and their status
sudo nitro-cli describe-enclaves

# View console output from a specific enclave (replace <ENCLAVE_ID>)
sudo nitro-cli console --enclave-id <ENCLAVE_ID>

# Show logs from the CloudFormation deployment process
cat /var/log/user-data.log

# Show error logs from Nitro Enclaves runtime
cat /var/log/nitro_enclaves/err*.log