# IronCore Labs Alloy SDK Examples This directory contains some examples of using the IronCore Labs Alloy SDK to protect sensitive data. This SDK can be used in two different modes: Standalone and SaaS Shield. In Standalone mode, you will need to provide your own secrets. In SaaS Shield mode, the TSP will derive secrets for you. # Standalone client Standalone mode is designed to support fully offline programs and therefore does not require any additional setup. In a production environment, you would have to manage secrets for your tenants, but this example provides dummy secrets for convenience. # SaaS Shield client In order to use SaaS Shield mode, you need to run one or more _Tenant Security Proxies_ (TSPs) in your environment. This service is provided as a Docker container, so it is easy to run the proxy on any computer that has Docker installed. IronCore Labs hosts the Docker container on a publicly accessible container registry, so you can pull the image from there and run it locally. The TSP has a companion Docker container, the _Tenant Security Logdriver_ (LD) that runs alongside it in your environment. It is also hosted on the same publicly accessible container registry. In addition to the Docker containers, you need a configuration file that specifies how the TSP and LD should communicate with the IronCore Labs Configuration Broker and Data Control Platform, which work together to enable the end-to-end encryption that keeps all of the tenant KMS configuration information secure. To simplify the process of running these examples, we have created a demo vendor and tenants that you can use for the examples; all the necessary configuration information is included in the `demo-tsp.conf` file in this directory. **NOTE:** Normally, the file containing the configuration would be generated by the vendor and loaded into a Kubernetes secret or similar mechanism for securely loading the configuration into the docker container. We have included this configuration in the repository as a convenience. Also note that these accounts are all created in IronCore's staging infrastructure. The following command will get a TSP and LD running together on your computer with the provided configuration. The `docker-compose` command will pull both container images, then start them up together on a subnetwork, so they can communicate with each other. ```bash docker-compose -f docker-compose.yml up ``` The TSP will be listening locally on port 32804. Once the TSP and LD are running, you can experiment with the example programs. Each of the examples executes as an individual tenant of our demo SaaS vendor. There are six tenants defined; their IDs are the following: - tenant-gcp - tenant-aws - tenant-azure - tenant-gcp-l - tenant-aws-l - tenant-azure-l The last three are similar to the first three, but they have [key leasing](https://ironcorelabs.com/docs/saas-shield/what-is-key-leasing/) enabled. By default, an example will use the `tenant-gcp` tenant. If you would like to experiment with a different tenant, just do: ```bash export TENANT_ID=