Installing Protegrity Anonymization

Steps to install Protegrity Anonymization

Overview

This project deploys the Protegrity Anonymization SDK stack on Amazon EKS as part of the Protegrity AI Team Edition.
It uses Helm to deploy Kubernetes workloads.

Deployment Steps

1. Prepare Configuration

  1. Create an override_values.yaml file with environment‑specific configuration.

    s3:
  bucketName: "<>"  # S3 bucket name for storage (must exist before installation)
  region: "us-east-1"  # Update AWS region
  iamRoleArn: "<>"  # IAM role ARN with S3 permissions (s3:ListBucket, s3:GetObject, s3:PutObject, s3:DeleteObject) (must exist before installation)
image:
  anonapi_tag: /anonymization/1.4/containers/anonymization-service:release-1.4.1_13   # Tag name for Anonymization Image.
  postgres_tag: /shared/containers/postgres/17:37

    Note: Ensure the S3 bucket is not KMS encrypted. The bucket must use default SSE-S3 encryption or no encryption.

  2. Create namespace for deployment.

    kubectl create namespace anon-ns

    Note: Ensure all necessary parameters are set.

2. IRSA and OIDC Setup

> **Note**: This setup requires elevated privileges and is recommended to be performed with assistance from your IT team.

  1. Pull and extract the Helm chart using the following command.

      helm pull oci://<Container_Registry_Path>/anonymization/1.4/helm/anonymization-service --version=1.4.1
  tar -xvf anonymization-service-1.4.1.tgz

  2. Run the OIDC and IRSA setup script.

    Use the oidc_iam_setup-aws.sh script included with the chart to configure:

    • The OIDC identity provider in AWS IAM.

    • The IAM role trust relationship for the Kubernetes service account.

      sh anonymization-service/oidc_iam_setup-aws.sh <CLUSTER_NAME> <REGION> <IAM_ROLE> <S3_BUCKET_NAME> anon-ns anon-service-account
#Usage: oidc_iam_setup-aws.sh <CLUSTER_NAME> <REGION> <IAM_ROLE> <S3_BUCKET_NAME> <NAMESPACE> <SERVICE_ACCOUNT_NAME>
#Ex: oidc_iam_setup-aws.sh CLUSTER_NAME us-east-1 access_ROLE_name anon_bucket anon-ns anon-service-account

      Note:

      • The Anonymization service account (anon-service-account) and namespace (anon-ns) are predefined in values.yaml file.
      • Retrieve the cluster name using the following command:
        kubectl get configmap/nfa-config -n default -o jsonpath='{.data.CLUSTER_NAME}'

    • Verify successful setup.
      A successful run ends with output similar to the following:

      ✓ Policy already attached to role
=========================================
✓ Setup Complete!
=========================================

3. Deploy

  1. Deploy using the override_values.yaml file.

    helm install pty-anonymization oci://<Container_Registry_Path>/anonymization/1.4/helm/anonymization-service --version=1.4.1 -n anon-ns -f override_values.yaml

4. Monitor

  1. Monitor the deployment process using the following command.

     kubectl get pods -n anon-ns

    Verify all pods are in the Running state. The following is the sample output.

    NAME                                  READY   STATUS    RESTARTS   AGE
anon-app-depl-f5c4d4cd6-42wgn         1/1     Running   0          3m20s
anon-db-depl-0                        1/1     Running   0          3m20s
anon-scheduler-depl-7b87fcb74-l5q6v   1/1     Running   0          3m20s
anon-worker-depl-7c4d95496f-djw7f     1/1     Running   0          3m20s
anon-worker-depl-7c4d95496f-gnnvp     1/1     Running   0          3m20s

  2. Verify all the Anonymization services are deployed.

     kubectl get svc -n anon-ns

    The following is the sample output.

    NAME            TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)    AGE
anon-app-svc    ClusterIP   172.20.151.139   <none>        8090/TCP   61s
anon-dask-svc   ClusterIP   172.20.224.133   <none>        8786/TCP   61s

For more information about building the Request using the REST API, refer to Building the Request using the REST API.


Last modified : April 13, 2026