1.0 Introduction
This article describes how to execute an Amazon Web Service (AWS) Nitro application in a Workflow using the Workflow RUN button that allows users to start the application job and monitor it in Fortanix Confidential Computing Manager (CCM).
NOTE
The execution of the application takes place within the Amazon Elastic Kubernetes Service (EKS) runtime environment.
2.0 Execute the AWS Nitro Application on Amazon EKS
2.1 Prerequisites
Ensure that the Compute Clusters are configured in Fortanix CCM. A compute cluster is a set of nodes that run containerized applications. Compute clusters are used to run Fortanix CCM workflows. For more information on how to configure a compute cluster in Fortanix CCM and access the cluster, refer to Section 3.0: Configure the Cluster using Amazon EKS.
2.2 Create an Amazon EKS Cluster
Ensure that you have set up a cluster on Amazon EKS as a worker node and installed the Nitro node agent in the Fortanix CCM. For more information, refer to Amazon Elastic Kubernetes Service with Fortanix Confidential Computing Manager.
2.3 Obtain the kubeconfig YAML file
A Kubeconfig YAML file is used to configure the EKS compute cluster. For more information on how to get the EKS credentials, refer to Amazon Elastic Kubernetes Service with Fortanix Confidential Computing Manager.
3.0 Configure the Cluster using Amazon EKS
Perform the following steps to configure the Amazon EKS credentials in Fortanix CCM:
In the CCM user interface (UI) left navigation panel, click Infrastructure → COMPUTE CLUSTERS, and click ADD CLUSTER to configure a new compute cluster.
.png?sv=2026-02-06&spr=https&st=2026-06-26T21%3A38%3A36Z&se=2026-06-26T21%3A53%3A36Z&sr=c&sp=r&sig=LZedHIRSvEI8WvypIrkrXmK7uLQdLdxznJjT%2Fjh8E%2Bg%3D)
Figure 1: Add compute cluster
In the Cluster form:
Cluster Name: Enter the required name of the cluster.
Description: Enter the optional details about the cluster.
Type: Select the Kubernetes option from the drop down menu.
Kubernetes configuration: Upload the YAML file containing the EKS configuration details. For more information, refer to Section 2.3: Obtain the kubeconfig File.
Click ADD CLUSTER to save the cluster configuration.
4.0 Configure the Amazon EKS Application Workflow
Ensure that you have created a workflow using the EKS application in the Fortanix CCM UI. For more information, refer to Create, Update, Clone, and Delete Workflows.
Perform the following steps to configure the workflow:
In the CCM UI left navigation panel, click the Workflows → Approved.
From the list of approved workflows, select a workflow that has a single application since Fortanix CCM supports only single job deployments.
In the detailed view of the selected workflow, you will notice the disabled RUN. This button will be disabled if you have not configured the Kubernetes job specification. Click the
icon to configure these details and enable RUN.In the RUN WORKFLOW dialog box:
Deployment Type: The workflow deployment type, that is, Kubernetes (Single Job). Currently, Fortanix CCM supports only a single job deployment.
Namespace: The Kubernetes namespace
Cluster: The EKS cluster that you configured in Fortanix CCM.
DeploymentType: The deployment type for the application, that is, Kubernetes.
Job Specification: The Kubernetes job specification YAML file that is required by the cluster and the application to run the application job.
apiVersion: batch/v1 kind: Job metadata: labels: app: my-pod fortanix.cloud/app-id: huzme3phs fortanix.cloud/workflow: 4388e54b-5862-4efc-93f7-dbfc172951608 name: my-pod spec: template: metadata: labels: app: my-pod spec: restartPolicy: Never imagePullSecrets: - name: regcred containers: - env: - name: NODE_IP valueFrom: fieldRef: fieldPath: status.hostIP - name: NODE_AGENT value: http://$(NODE_IP):9092/v1 - name: APPCONFIG_ID value: fee3378f765271f6902a4123e331ab3afa2b0d88638a97ef5f76ca70ffc31181 - name: CCM_BACKEND value: ccm.test.fortanix.com:443 - name: RUST_LOG value: debug - name: IS_EKS value: 'true' - name: MEM_SIZE value: '2048' - name: NODE_AGENT_IP valueFrom: fieldRef: fieldPath: status.hostIP - name: NODE_AGENT value: http://$(NODE_AGENT_IP):9092/v1 image: 513076507034.dkr.ecr.us-west-1.amazonaws.com/development-images/ccm-automation-output-images:python-generic-app-dec20 imagePullPolicy: Always name: nginx ports: - containerPort: 80 name: http - containerPort: 22 name: ssh resources: limits: cpu: 500m hugepages-1Gi: 2Gi memory: 2Gi smarter-devices/nitro_enclaves: '1' requests: hugepages-1Gi: 2Gi smarter-devices/nitro_enclaves: '1' securityContext: privileged: true volumeMounts: - mountPath: /dev/hugepages name: hugepage readOnly: false - mountPath: /var/log/nitro_enclaves name: log - mountPath: /run/nitro_enclaves name: socket-path volumes: - emptyDir: medium: HugePages name: hugepage - hostPath: path: /var/log/nitro_enclaves name: log - emptyDir: {} name: socket-pathNOTE
Refer to the Kubernetes job specification at https://kubernetes.io/docs/concepts/workloads/controllers/job/.
Fortanix CCM incorporates the necessary environment variables into the provided Kubernetes job specification.
When hosting the Docker image in a password-protected repository, include
imagePullSecrets.Fortanix CCM does not push any secrets stored in it; it is the user’s responsibility to configure these in Kubernetes.
Click SAVE CONFIGURATION to save the changes.
RUN is now enabled on the screen.
5.0 Run the Amazon EKS Application Workflow
Perform the following steps to run the EKS application workflow:
Click RUN in the detailed view of an approved workflow enabled in Section 4.0: Configure the Amazon EKS Application Workflow.
In the RUN WORKFLOW window, confirm the values of each parameter and click RUN to run the workflow.
Observe the running indicator at the bottom of the workflow.
If there is a need to halt the execution at any point, click STOP. This action will re-enable the RUN button.The Execution Log will display the execution status if the application executes successfully.
The EXECUTION LOG window provides a detailed log of the run. You can also download the log using DOWNLOAD.