Deploy in your own AWS account¶
Deploy Caution enclaves in your own AWS infrastructure while Caution handles the standard Docker build and deployment orchestration.
What is bring your own compute?¶
Bring your own compute (BYOC) lets you run confidential enclaves in your own AWS account. A one-time setup script creates isolated AWS infrastructure and a scoped IAM identity that can only interact with resources tagged for Caution, then Caution manages deployments within that environment. For full details, see the bring your own compute reference.
AWS Nitro support today
Caution currently supports deployments on AWS Nitro Enclaves. We are actively working on support for Intel TDX, AMD SEV-SNP, and TPM 2.0 attestations.
What you need¶
Before you begin, ensure you have the following:
| What you'll need | Details |
|---|---|
| Access code | Request access at info@caution.co |
| Passkey | Browser or platform passkey, password manager passkey, or security key or smart card (YubiKey, NitroKey, or LibremKey) |
| CLI | Supported today on Linux (x86_64) or macOS (arm64) (install) |
| Git | For cloning and pushing repositories (install) |
| Docker | With containerd image store enabled (install) |
| Containerized app | Your application must be containerized |
| AWS credentials | For the AWS account where Caution will provision tagged resources |
AWS credentials should use a least-privilege IAM role when possible. Admin credentials can be used as an alternative. See bring-your-own-cloud-setup for guidance.
Install the CLI¶
Follow the installation instructions in the CLI README.
Create an account¶
To create an account, you'll need a valid access code and a passkey. You can register in the browser or with the CLI.
If you do not have an access code, request one at info@caution.co.
- Go to dashboard.caution.co
- Enter your access code
- Use your passkey method
- Click Continue
- Approve Passkey interaction when prompted
Add an SSH key¶
Add an SSH key so you can authenticate your Caution deployments:
Add an SSH key from the browser dashboard.
Select an application¶
Deploy your own containerized application, or start with one of the Caution demo apps. For this guide, use hello-world-enclave:
For your own app, make sure the container builds from the repository root with the standard Docker form:
If you use another file, set containerfile in the Procfile and replace Containerfile with that path. Caution uses this build shape and does not pass extra build arguments, so public build-time values need to be part of the image inputs. Use Locksmith for secrets.
Set up your AWS environment¶
Choose how you want to provision the AWS environment for bring your own compute deployments. Both paths continue through the Caution CLI for app registration, Git-based deployment, and verification.
In both paths, setup uses your provisioning credentials to create tagged AWS resources and a scoped IAM user, then registers only the scoped deployment credentials with Caution:
flowchart TB
subgraph Local["Your setup environment"]
AppDir["Application directory"]
AwsCreds["AWS provisioning credentials"]
CliSetup["CLI-guided setup<br/>caution init --byoc"]
ManualSetup["Manual setup container<br/>bring-your-own-cloud-setup"]
ConfigFile["credentials.json.gpg<br/>manual path"]
end
subgraph Aws["Your AWS account"]
Resources["Tagged deployment resources<br/>VPC, subnets, IGW, routing, S3, launch template, ASG"]
InstanceRole["EC2 instance role<br/>read EIF images"]
BuilderRole["Builder role<br/>publish EIF images"]
ScopedUser["Scoped IAM user<br/>tag-limited policy"]
end
subgraph Caution["Caution"]
AppRecord["Caution app record"]
DeploymentCreds["Scoped deployment credentials"]
end
AppDir --> CliSetup
AwsCreds --> CliSetup
AwsCreds --> ManualSetup
CliSetup -->|provisions| Resources
CliSetup -->|creates| InstanceRole
CliSetup -->|creates| BuilderRole
CliSetup -->|creates| ScopedUser
CliSetup -->|registers automatically| AppRecord
ManualSetup -->|provisions| Resources
ManualSetup -->|creates| InstanceRole
ManualSetup -->|creates| BuilderRole
ManualSetup -->|creates| ScopedUser
ManualSetup --> ConfigFile
ConfigFile -->|caution init --byoc --config| AppRecord
ScopedUser --> DeploymentCreds
AppRecord --> DeploymentCredsCLI-guided provisioning (recommended)¶
Use this path if you want Caution to provision AWS infrastructure and register deployment credentials automatically.
From your application directory, run:
This command detects your AWS credentials, provisions the required AWS infrastructure, creates your app on Caution, and registers the deployment credentials automatically.
Commit the generated .caution/deployment.json to your repository. The deployment file stores the Caution app resource ID so CLI commands can infer the target app from the repository.
Manual provisioning¶
Use this path if you want more control over the AWS infrastructure setup before registering the deployment configuration with Caution.
From a working directory, run:
git clone https://codeberg.org/caution/bring-your-own-cloud-setup.git
cd bring-your-own-cloud-setup
cp .env.example .env
# Edit .env with your AWS credentials
docker build -t caution-provisioner-setup .
docker run --rm \
--env-file .env \
-v "$(pwd)/out:/out" \
caution-provisioner-setup
This provisions the required AWS infrastructure and writes credentials.json.gpg to the out/ directory.
Use an existing VPC (Optional)
If you want Caution to provision resources in an existing VPC (Virtual Private Cloud) instead of creating a new one, set VPC_ID=vpc-xxxxxxxx in your .env file before running the Docker command.
To use the generated encrypted credentials, return to your application directory and run:
Commit the generated .caution/deployment.json to your repository. The deployment file stores the Caution app resource ID so CLI commands can infer the target app from the repository.
What the setup creates¶
The setup flow creates an isolated environment for running enclaves in your AWS account:
| Resource | Purpose |
|---|---|
| VPC | Dedicated /16 VPC with public subnets across multiple availability zones, internet gateway, and routing |
| S3 Bucket | Stores enclave image files (EIFs). Named caution-<deployment-id>-images |
| EC2 Instance Role | Allows enclave instances to read EIFs from the S3 bucket |
| Builder Role | Allows builder instances to publish EIF objects into the S3 bucket |
| Launch Template | Preconfigured template for enclave instances |
| Auto Scaling Group | Manages enclave instances (starts at 0, Caution scales as needed) |
| Scoped IAM User | Credentials for Caution, scoped to only these resources |
Add environment variables¶
If your application needs environment variables, use Key services before deploying. The guide covers non-encrypted variables for public configuration and encrypted variables for secrets, including how to deploy Keymaker, generate shard-holder OpenPGP keys, create a quorum bundle, encrypt values from .env, and enable Locksmith in your Procfile.
Skip this step if your application does not need environment variables.
Deploy the application¶
From your application directory, push the code to Caution:
Caution builds a reproducible enclave image with the standard Docker build and deploys it into the AWS environment you provisioned.
Verify the deployment¶
From your application directory, run the following command to rebuild the image, compare hashes, and confirm exactly what the enclave is running:
Cleanup¶
To tear down a BYOC deployment from the CLI, run:
Run this from your application directory (or ensure local BYOC state exists in ~/.caution/<app>/bring-your-own-cloud.json) and make sure your AWS credentials are available.
If you need manual cleanup details, see the cleanup instructions in the BYOC repo.
Next steps¶
Your application is now running in a verified enclave in your own AWS account. Here's what to explore next:
-
Bring your own compute
Run Caution enclaves in your own AWS account.
-
Deployment configuration
Configure source verification and networking options.
-
Procfile
Configure how your application runs and verifies.
-
Verifiability
Learn how Caution ensures code integrity from source to production.