Protegrity Anonymization on

Prerequisites

Mon, 01 Jan 0001 00:00:00 +0000

Ensure the following prerequisites are met:

Tools:
- helm and kubectl are installed and configured with access Protegrity Provisioned Cluster (PPC).
- pipis installed in the Python Virtual Environment.
AWS Setup:
- A Protegrity Provisioned Cluster (PPC) is available.
  For more information about PPC, refer to Protegrity Provisioned Cluster.
- An AWS account with CLI credentials for configuring AWS is available.
- An existing VPC with at least two private subnets is available.
- An S3 bucket for storing anonymization artifacts is available and must exist before installation. The S3 bucket should not be KMS encrypted. The bucket must use default SSE-S3 encryption or no encryption.
- An IAM role (for example, arn:aws:iam::<Account_ID>:role/<Role_Name>) with the required S3 permissions (s3:ListBucket, s3:GetObject, s3:PutObject, s3:DeleteObject) must exist before installation.
- Sufficient permissions to create namespaces, deployments, secrets, and services.
- Ensure that the jumpbox can connect to the required repositories. If not already authenticated, then log in to the required repository.

For connecting and deploying from the Protegrity Container Registry (PCR), use the following command and the credentials obtained from the My.Protegrity portal during account creation:

helm registry login registry.protegrity.com:9443

For connecting and deploying to the local repository, use your local credentials and local repository endpoint as required.

IRSA and OIDC Configurations:

Installing Protegrity Anonymization

Mon, 01 Jan 0001 00:00:00 +0000

Overview

This project deploys the Protegrity Anonymization SDK stack on Amazon EKS as part of the Protegrity AI Team Edition.
It uses Helm to deploy Kubernetes workloads.

Deployment Steps

1. Prepare Configuration

Create an override_values.yaml file with environment‑specific configuration.

s3:
 bucketName: "<>" # S3 bucket name for storage (must exist before installation)
 region: "us-east-1" # Update AWS region
 iamRoleArn: "<>" # IAM role ARN with S3 permissions (s3:ListBucket, s3:GetObject, s3:PutObject, s3:DeleteObject) (must exist before installation)
image:
 anonapi_tag: /anonymization/1.4/containers/anonymization-service:release-1.4.1_13  # Tag name for Anonymization Image.
 postgres_tag: /shared/containers/postgres/17:37

Note: Ensure the S3 bucket is not KMS encrypted. The bucket must use default SSE-S3 encryption or no encryption.

Configuring Protegrity Anonymization

Mon, 01 Jan 0001 00:00:00 +0000

Update Role Permission and Create User

After deployment, update the default anonymization_administrator role to include can_create_token permission and then create a user with this role.

Step 1: Update `anonymization_administrator` role permission

export GATEWAY_URL="https://$(kubectl get configmap/nfa-config -n default -o jsonpath='{.data.FQDN}')"

# 1. Obtain an Authentication Token
TOKEN=$(curl -sk -X POST "${GATEWAY_URL}/api/v1/auth/login/token" \
 -H 'Content-Type: application/x-www-form-urlencoded' \
 -d 'loginname=admin&password=Admin123!' \
 -D - -o /dev/null | grep -i 'pty_access_jwt_token' | awk '{print $2}' | tr -d '\r\n')

curl -sk -X PUT \
 "${GATEWAY_URL}/pty/v1/auth/roles" \
 -H 'accept: application/json' \
 -H "Authorization: Bearer ${TOKEN}" \
 -H 'Content-Type: application/json' \
 -d '{
 "name": "anonymization_administrator",
 "description": "Administrator role",
 "permissions": [
 "can_create_token",
 "anonymization_operations_admin"
 ]
 }'

Step 2: Create user with `anonymization_administrator` role attached

Use the following request payload when creating the user:

Protegrity Anonymization Python SDK Installation

Mon, 01 Jan 0001 00:00:00 +0000

Python SDK

The Anonymization service can be accessed programmatically using the Python SDK.

1. Obtain an Authentication Token

export GATEWAY_URL=https://<YOUR_GATEWAY_HOSTNAME>
# Gateway URL can be obtained using the following command:
# export GATEWAY_URL="https://$(kubectl get configmap/nfa-config -n default -o jsonpath='{.data.FQDN}')"
# Login with the Anon user and get token
TOKEN=$(curl -sk -X POST "${GATEWAY_URL}/api/v1/auth/login/token" \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'loginname=anonymization_admin&password=StrongPassword123!' \
-D - -o /dev/null | grep -i 'pty_access_jwt_token' | awk '{print $2}' | tr -d '\r\n')

echo "Access Token: $TOKEN"

Note: Replace default credentials and URLs for production environments.

Uninstalling and Cleanup Protegrity Anonymization

Mon, 01 Jan 0001 00:00:00 +0000

To remove the Anonymization SDK and all associated Kubernetes resources:

Clear the deployed release.

helm uninstall pty-anonymization -n anon-ns --wait --timeout 300s

Delete the bootstrap credentials secret.

kubectl delete secret/aws-iam-bootstrap-creds -n anon-ns

Delete the persistent volume claim.

kubectl delete pvc/anon-db-persistent-storage-anon-db-depl-0 -n anon-ns

Clear the namespace.

kubectl delete namespace anon-ns

Optionally clean up IAM roles and OIDC provider created for this deployment, and any S3 artifacts that are no longer needed.

Protegrity Anonymization on

Prerequisites

Installing Protegrity Anonymization

Overview

Deployment Steps

1. Prepare Configuration

Configuring Protegrity Anonymization

Update Role Permission and Create User

Step 1: Update anonymization_administrator role permission

Step 2: Create user with anonymization_administrator role attached

Protegrity Anonymization Python SDK Installation

Python SDK

1. Obtain an Authentication Token

Uninstalling and Cleanup Protegrity Anonymization

Step 1: Update `anonymization_administrator` role permission

Step 2: Create user with `anonymization_administrator` role attached