config: automatically upload new Azure SNP versions to API + sign version with release key (#1854)

* sign version with release key and remove version from fetcher interface * extend azure-reporter GH action to upload updated version values to the Attestation API
2025-02-25 01:10:16 -05:00 · 2023-06-02 12:10:22 +02:00 · 2023-06-02 12:10:22 +02:00 · a813760f96
commit a813760f96
parent 18da9b8128
14 changed files with 214 additions and 76 deletions
--- a/.github/workflows/azure-snp-reporter.yml
+++ b/.github/workflows/azure-snp-reporter.yml
@ -49,7 +49,10 @@ jobs:
  validate-snp-report:
    needs: fetch-snp-report
-    name: "Validate SNP report"
+    name: "Validate SNP report and update Attestation API"
    permissions:
      id-token: write
      contents: read
    runs-on: ubuntu-22.04
    env:
      SHELL: /bin/bash
@ -73,4 +76,18 @@ jobs:
      - name: Verify report
        shell: bash
-        run: go run ./hack/azure-snp-report-verify/verify.go "$(cat ./maa-report.jwt)"
+        run: go run ./hack/azure-snp-report-verify/verify.go --report "$(cat ./maa-report.jwt)" --export-path azure-snp-version.json
      - name: Login to AWS
        uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
          aws-region: eu-central-1
      - name: Update Attestation API
        shell: bash
        env:
          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
        run: |
          go run ./hack/configapi/main.go --version-file azure-snp-version.json
--- a/1
+++ b/1
@ -16,6 +16,7 @@
 /e2e @katexochen
 /hack/azure-jump-host @malt3
 /hack/azure-snp-report-verify @derpsteb
 /hack/configapi @elchead
 /hack/bazel-deps-mirror @malt3
 /hack/check-licenses.sh @thomasten
 /hack/clidocgen @thomasten
--- a/cli/internal/cmd/configfetchmeasurements_test.go
+++ b/cli/internal/cmd/configfetchmeasurements_test.go
@ -299,13 +299,13 @@ func (f fakeConfigFetcher) FetchAzureSEVSNPVersionList(_ context.Context, _ conf
 	), nil
 }
-func (f fakeConfigFetcher) FetchAzureSEVSNPVersion(_ context.Context, _ configapi.AzureSEVSNPVersionGet, _ versionsapi.Version) (configapi.AzureSEVSNPVersionGet, error) {
+func (f fakeConfigFetcher) FetchAzureSEVSNPVersion(_ context.Context, _ configapi.AzureSEVSNPVersionGet) (configapi.AzureSEVSNPVersionGet, error) {
 	return configapi.AzureSEVSNPVersionGet{
 		AzureSEVSNPVersion: testCfg,
 	}, nil
 }
-func (f fakeConfigFetcher) FetchAzureSEVSNPVersionLatest(_ context.Context, _ versionsapi.Version) (configapi.AzureSEVSNPVersionGet, error) {
+func (f fakeConfigFetcher) FetchAzureSEVSNPVersionLatest(_ context.Context) (configapi.AzureSEVSNPVersionGet, error) {
 	return configapi.AzureSEVSNPVersionGet{
 		AzureSEVSNPVersion: testCfg,
 	}, nil
--- a/hack/azure-snp-report-verify/verify.go
+++ b/hack/azure-snp-report-verify/verify.go
@ -46,12 +46,13 @@ func (i *IsolationTEE) PrintSVNs() {
 func main() {
 	configAPIExportPath := flag.String("export-path", "azure-sev-snp-version.json", "Path to the exported config API file.")
 	maaJWT := flag.String("report", "", "MAA JWT report to verify")
 	flag.Parse()
-	if len(os.Args) != 2 {
+	if *maaJWT == "" {
-		fmt.Println("Usage:", os.Args[0], "<maa-jwt>")
+		fmt.Println("Must provide --report")
 		return
 	}
-	report, err := getTEEReport(os.Args[1])
+	report, err := getTEEReport(*maaJWT)
 	if err != nil {
 		panic(err)
 	}
--- a/hack/configapi/cmd/BUILD.bazel
+++ b/hack/configapi/cmd/BUILD.bazel
@ -1,4 +1,5 @@
 load("@io_bazel_rules_go//go:def.bzl", "go_library")
 load("//bazel/go:go_test.bzl", "go_test")
 go_library(
    name = "cmd",
@ -8,7 +9,18 @@ go_library(
    deps = [
        "//internal/api/attestationconfig",
        "//internal/api/attestationconfig/client",
        "//internal/api/attestationconfig/fetcher",
        "//internal/staticupload",
        "@com_github_spf13_cobra//:cobra",
    ],
 )
 go_test(
    name = "cmd_test",
    srcs = ["root_test.go"],
    embed = [":cmd"],
    deps = [
        "//internal/api/attestationconfig",
        "@com_github_stretchr_testify//assert",
    ],
 )
--- a/hack/configapi/cmd/root.go
+++ b/hack/configapi/cmd/root.go
@ -10,27 +10,32 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
 	"reflect"
 	"time"
-	configapi "github.com/edgelesssys/constellation/v2/internal/api/attestationconfig"
+	"github.com/edgelesssys/constellation/v2/internal/api/attestationconfig"
 	attestationconfigclient "github.com/edgelesssys/constellation/v2/internal/api/attestationconfig/client"
 	"github.com/edgelesssys/constellation/v2/internal/api/attestationconfig/fetcher"
 	"github.com/edgelesssys/constellation/v2/internal/staticupload"
 	"github.com/spf13/cobra"
 )
 const (
-	awsRegion      = "eu-central-1"
+	awsRegion           = "eu-central-1"
-	awsBucket      = "cdn-constellation-backend"
+	awsBucket           = "cdn-constellation-backend"
-	invalidDefault = 0
+	invalidDefault      = 0
-	envAwsKeyID    = "AWS_ACCESS_KEY_ID"
+	envAwsKeyID         = "AWS_ACCESS_KEY_ID"
-	envAwsKey      = "AWS_ACCESS_KEY"
+	envAwsKey           = "AWS_ACCESS_KEY"
 	envCosignPwd        = "COSIGN_PASSWORD"
 	envCosignPrivateKey = "COSIGN_PRIVATE_KEY"
 )
 var (
 	versionFilePath string
 	// Cosign credentials.
-	cosignPwd      string
+	cosignPwd  string
-	privateKeyPath string
+	privateKey string
 )
 // Execute executes the root command.
@ -41,58 +46,102 @@ func Execute() error {
 // newRootCmd creates the root command.
 func newRootCmd() *cobra.Command {
 	rootCmd := &cobra.Command{
-		Use:   "AWS_ACCESS_KEY_ID=$ID AWS_ACCESS_KEY=$KEY upload -b 2 -t 0 -s 6 -m 93 --cosign-pwd $PWD --private-key $FILE_PATH",
+		Use:   "COSIGN_PASSWORD=$CPWD COSIGN_PRIVATE_KEY=$CKEY AWS_ACCESS_KEY_ID=$ID AWS_ACCESS_KEY=$KEY upload --version-file $FILE",
 		Short: "Upload a set of versions specific to the azure-sev-snp attestation variant to the config api.",
-		Long: "Upload a set of versions specific to the azure-sev-snp attestation variant to the config api. Please authenticate with AWS through your preferred method (e.g. environment variables, CLI) to be able to upload to S3.",
+		Long:    fmt.Sprintf("Upload a set of versions specific to the azure-sev-snp attestation variant to the config api. Please authenticate with AWS through your preferred method (e.g. environment variables, CLI) to be able to upload to S3. Set the %s and %s environment variables to authenticate with cosign.", envCosignPrivateKey, envCosignPwd),
-		RunE: runCmd,
+		PreRunE: envCheck,
 		RunE:    runCmd,
 	}
 	rootCmd.PersistentFlags().StringVarP(&versionFilePath, "version-file", "f", "", "File path to the version json file.")
-	rootCmd.PersistentFlags().StringVar(&cosignPwd, "cosign-pwd", "", "Cosign password used to decrpyt the private key.")
+	must(enforceRequiredFlags(rootCmd, "version-file"))
 	rootCmd.PersistentFlags().StringVar(&privateKeyPath, "private-key", "", "File path of private key used to sign the payload.")
 	must(enforceRequiredFlags(rootCmd, "version-file", "cosign-pwd", "private-key"))
 	return rootCmd
 }
 func envCheck(_ *cobra.Command, _ []string) error {
 	if os.Getenv(envCosignPrivateKey) == "" || os.Getenv(envCosignPwd) == "" {
 		return fmt.Errorf("please set both %s and %s environment variables", envCosignPrivateKey, envCosignPwd)
 	}
 	cosignPwd = os.Getenv(envCosignPwd)
 	privateKey = os.Getenv(envCosignPrivateKey)
 	return nil
 }
 func runCmd(cmd *cobra.Command, _ []string) error {
 	ctx := cmd.Context()
 	cfg := staticupload.Config{
 		Bucket: awsBucket,
 		Region: awsRegion,
 	}
 	privateKey, err := os.ReadFile(privateKeyPath)
 	if err != nil {
 		return fmt.Errorf("reading private key: %w", err)
 	}
 	versionBytes, err := os.ReadFile(versionFilePath)
 	if err != nil {
 		return fmt.Errorf("reading version file: %w", err)
 	}
-	var versions configapi.AzureSEVSNPVersion
+	var inputVersion attestationconfig.AzureSEVSNPVersion
-	err = json.Unmarshal(versionBytes, &versions)
+	if err = json.Unmarshal(versionBytes, &inputVersion); err != nil {
 	if err != nil {
 		return fmt.Errorf("unmarshalling version file: %w", err)
 	}
-	sut, sutClose, err := attestationconfigclient.New(ctx, cfg, []byte(cosignPwd), privateKey)
+	latestAPIVersion, err := fetcher.New().FetchAzureSEVSNPVersionLatest(ctx)
 	if err != nil {
-		return fmt.Errorf("creating repo: %w", err)
+		return fmt.Errorf("fetching latest version: %w", err)
 	}
 	defer func() {
 		if err := sutClose(ctx); err != nil {
 			fmt.Printf("closing repo: %v\n", err)
 		}
 	}()
-	if err := sut.UploadAzureSEVSNP(ctx, versions, time.Now()); err != nil {
+	isNewer, err := isInputNewerThanLatestAPI(inputVersion, latestAPIVersion.AzureSEVSNPVersion)
-		return fmt.Errorf("uploading version: %w", err)
+	if err != nil {
 		return fmt.Errorf("comparing versions: %w", err)
 	}
 	if isNewer {
 		fmt.Printf("Input version: %+v is newer than latest API version: %+v\n", inputVersion, latestAPIVersion)
 		sut, sutClose, err := attestationconfigclient.New(ctx, cfg, []byte(cosignPwd), []byte(privateKey))
 		defer func() {
 			if err := sutClose(ctx); err != nil {
 				fmt.Printf("closing repo: %v\n", err)
 			}
 		}()
 		if err != nil {
 			return fmt.Errorf("creating repo: %w", err)
 		}
 		if err := sut.UploadAzureSEVSNP(ctx, inputVersion, time.Now()); err != nil {
 			return fmt.Errorf("uploading version: %w", err)
 		}
 		cmd.Printf("Successfully uploaded new Azure SEV-SNP version: %+v\n", inputVersion)
 	} else {
 		cmd.Printf("Input version: %+v is not newer than latest API version: %+v\n", inputVersion, latestAPIVersion)
 	}
 	cmd.Printf("Successfully uploaded new Azure SEV-SNP version: %+v\n", versions)
 	return nil
 }
 // isInputNewerThanLatestAPI compares all version fields with the latest API version and returns true if any input field is newer.
 func isInputNewerThanLatestAPI(input, latest attestationconfig.AzureSEVSNPVersion) (bool, error) {
 	inputValues := reflect.ValueOf(input)
 	latestValues := reflect.ValueOf(latest)
 	fields := reflect.TypeOf(input)
 	num := fields.NumField()
 	// validate that no input field is smaller than latest
 	for i := 0; i < num; i++ {
 		field := fields.Field(i)
 		inputValue := inputValues.Field(i).Uint()
 		latestValue := latestValues.Field(i).Uint()
 		if inputValue < latestValue {
 			return false, fmt.Errorf("input %s version: %d is older than latest API version: %d", field.Name, inputValue, latestValue)
 		} else if inputValue > latestValue {
 			return true, nil
 		}
 	}
 	// check if any input field is greater than latest
 	for i := 0; i < num; i++ {
 		inputValue := inputValues.Field(i).Uint()
 		latestValue := latestValues.Field(i).Uint()
 		if inputValue > latestValue {
 			return true, nil
 		}
 	}
 	return false, nil
 }
 func enforceRequiredFlags(cmd *cobra.Command, flags ...string) error {
 	for _, flag := range flags {
 		if err := cmd.MarkPersistentFlagRequired(flag); err != nil {
--- a/hack/configapi/cmd/root_test.go
+++ b/hack/configapi/cmd/root_test.go
@ -0,0 +1,75 @@
 /*
 Copyright (c) Edgeless Systems GmbH
 SPDX-License-Identifier: AGPL-3.0-only
 */
 package cmd
 import (
 	"testing"
 	"github.com/edgelesssys/constellation/v2/internal/api/attestationconfig"
 	"github.com/stretchr/testify/assert"
 )
 var testCfg = attestationconfig.AzureSEVSNPVersion{
 	Microcode:  93,
 	TEE:        0,
 	SNP:        6,
 	Bootloader: 2,
 }
 func TestIsInputNewerThanLatestAPI(t *testing.T) {
 	testCases := map[string]struct {
 		latest attestationconfig.AzureSEVSNPVersion
 		input  attestationconfig.AzureSEVSNPVersion
 		expect bool
 		errMsg string
 	}{
 		"input is older than latest": {
 			input: func(c attestationconfig.AzureSEVSNPVersion) attestationconfig.AzureSEVSNPVersion {
 				c.Microcode--
 				return c
 			}(testCfg),
 			latest: testCfg,
 			expect: false,
 			errMsg: "input Microcode version: 92 is older than latest API version: 93",
 		},
 		"input has greater and smaller version field than latest": {
 			input: func(c attestationconfig.AzureSEVSNPVersion) attestationconfig.AzureSEVSNPVersion {
 				c.Microcode++
 				c.Bootloader--
 				return c
 			}(testCfg),
 			latest: testCfg,
 			expect: false,
 			errMsg: "input Bootloader version: 1 is older than latest API version: 2",
 		},
 		"input is newer than latest": {
 			input: func(c attestationconfig.AzureSEVSNPVersion) attestationconfig.AzureSEVSNPVersion {
 				c.TEE++
 				return c
 			}(testCfg),
 			latest: testCfg,
 			expect: true,
 		},
 		"input is equal to latest": {
 			input:  testCfg,
 			latest: testCfg,
 			expect: false,
 		},
 	}
 	for name, tc := range testCases {
 		t.Run(name, func(t *testing.T) {
 			isNewer, err := isInputNewerThanLatestAPI(tc.input, tc.latest)
 			assert := assert.New(t)
 			if tc.errMsg != "" {
 				assert.EqualError(err, tc.errMsg)
 			} else {
 				assert.NoError(err)
 				assert.Equal(tc.expect, isNewer)
 			}
 		})
 	}
 }
--- a/internal/api/attestationconfig/fetcher/BUILD.bazel
+++ b/internal/api/attestationconfig/fetcher/BUILD.bazel
@ -9,7 +9,7 @@ go_library(
    deps = [
        "//internal/api/attestationconfig",
        "//internal/api/fetcher",
-        "//internal/api/versions",
+        "//internal/constants",
        "//internal/sigstore",
    ],
 )
@ -20,8 +20,6 @@ go_test(
    embed = [":fetcher"],
    deps = [
        "//internal/api/attestationconfig",
        "//internal/api/versions",
        "@com_github_stretchr_testify//assert",
        "@com_github_stretchr_testify//require",
    ],
 )
--- a/internal/api/attestationconfig/fetcher/fetcher.go
+++ b/internal/api/attestationconfig/fetcher/fetcher.go
@ -16,15 +16,17 @@ import (
 	"github.com/edgelesssys/constellation/v2/internal/api/attestationconfig"
 	"github.com/edgelesssys/constellation/v2/internal/api/fetcher"
-	versionsapi "github.com/edgelesssys/constellation/v2/internal/api/versions"
+	"github.com/edgelesssys/constellation/v2/internal/constants"
 	"github.com/edgelesssys/constellation/v2/internal/sigstore"
 )
 const cosignPublicKey = constants.CosignPublicKeyReleases
 // AttestationConfigAPIFetcher fetches config API resources without authentication.
 type AttestationConfigAPIFetcher interface {
-	FetchAzureSEVSNPVersion(ctx context.Context, azureVersion attestationconfig.AzureSEVSNPVersionGet, version versionsapi.Version) (attestationconfig.AzureSEVSNPVersionGet, error)
+	FetchAzureSEVSNPVersion(ctx context.Context, azureVersion attestationconfig.AzureSEVSNPVersionGet) (attestationconfig.AzureSEVSNPVersionGet, error)
 	FetchAzureSEVSNPVersionList(ctx context.Context, attestation attestationconfig.AzureSEVSNPVersionList) (attestationconfig.AzureSEVSNPVersionList, error)
-	FetchAzureSEVSNPVersionLatest(ctx context.Context, version versionsapi.Version) (attestationconfig.AzureSEVSNPVersionGet, error)
+	FetchAzureSEVSNPVersionLatest(ctx context.Context) (attestationconfig.AzureSEVSNPVersionGet, error)
 }
 // Fetcher fetches AttestationCfg API resources without authentication.
@ -48,16 +50,12 @@ func (f *Fetcher) FetchAzureSEVSNPVersionList(ctx context.Context, attestation a
 }
 // FetchAzureSEVSNPVersion fetches the version information from the config API.
-func (f *Fetcher) FetchAzureSEVSNPVersion(ctx context.Context, attestation attestationconfig.AzureSEVSNPVersionGet, version versionsapi.Version) (attestationconfig.AzureSEVSNPVersionGet, error) {
+func (f *Fetcher) FetchAzureSEVSNPVersion(ctx context.Context, azureVersion attestationconfig.AzureSEVSNPVersionGet) (attestationconfig.AzureSEVSNPVersionGet, error) {
-	cosignPublicKey, err := sigstore.CosignPublicKeyForVersion(version)
+	urlString, err := azureVersion.URL()
 	if err != nil {
-		return attestationconfig.AzureSEVSNPVersionGet{}, fmt.Errorf("get public key for config: %w", err)
+		return azureVersion, err
 	}
-	urlString, err := attestation.URL()
+	fetchedVersion, err := fetcher.Fetch(ctx, f.HTTPClient, azureVersion)
 	if err != nil {
 		return attestationconfig.AzureSEVSNPVersionGet{}, err
 	}
 	fetchedVersion, err := fetcher.Fetch(ctx, f.HTTPClient, attestation)
 	if err != nil {
 		return fetchedVersion, fmt.Errorf("fetch version %s: %w", fetchedVersion.Version, err)
 	}
@ -71,7 +69,7 @@ func (f *Fetcher) FetchAzureSEVSNPVersion(ctx context.Context, attestation attes
 		return fetchedVersion, fmt.Errorf("fetch version %s signature: %w", fetchedVersion.Version, err)
 	}
-	err = sigstore.CosignVerifier{}.VerifySignature(versionBytes, signature, cosignPublicKey)
+	err = sigstore.CosignVerifier{}.VerifySignature(versionBytes, signature, []byte(cosignPublicKey))
 	if err != nil {
 		return fetchedVersion, fmt.Errorf("verify version %s signature: %w", fetchedVersion.Version, err)
 	}
@ -79,14 +77,14 @@ func (f *Fetcher) FetchAzureSEVSNPVersion(ctx context.Context, attestation attes
 }
 // FetchAzureSEVSNPVersionLatest returns the latest versions of the given type.
-func (f *Fetcher) FetchAzureSEVSNPVersionLatest(ctx context.Context, version versionsapi.Version) (res attestationconfig.AzureSEVSNPVersionGet, err error) {
+func (f *Fetcher) FetchAzureSEVSNPVersionLatest(ctx context.Context) (res attestationconfig.AzureSEVSNPVersionGet, err error) {
 	var list attestationconfig.AzureSEVSNPVersionList
 	list, err = f.FetchAzureSEVSNPVersionList(ctx, list)
 	if err != nil {
 		return res, fmt.Errorf("fetching versions list: %w", err)
 	}
 	get := attestationconfig.AzureSEVSNPVersionGet{Version: list[0]} // get latest version (as sorted reversely alphanumerically)
-	get, err = f.FetchAzureSEVSNPVersion(ctx, get, version)
+	get, err = f.FetchAzureSEVSNPVersion(ctx, get)
 	if err != nil {
 		return res, fmt.Errorf("failed fetching version: %w", err)
 	}
--- a/internal/api/attestationconfig/fetcher/fetcher_test.go
+++ b/internal/api/attestationconfig/fetcher/fetcher_test.go
@ -15,9 +15,7 @@ import (
 	"testing"
 	configapi "github.com/edgelesssys/constellation/v2/internal/api/attestationconfig"
 	versionsapi "github.com/edgelesssys/constellation/v2/internal/api/versions"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 var testCfg = configapi.AzureSEVSNPVersionGet{
@ -36,7 +34,7 @@ func TestFetchLatestAzureSEVSNPVersion(t *testing.T) {
 		want      configapi.AzureSEVSNPVersionGet
 	}{
 		"get version with valid signature": {
-			signature: []byte("MEUCIQDNn6wiSh9Nz9mtU9RvxvfkH3fNDFGeqopjTIRoBNkyrAIgSsKgdYNQXvPevaLWmmpnj/9WcgrltAQ+KfI+bQfklAo="),
+			signature: []byte("MEQCIBPEbYg89MIQuaGStLhKGLGMKvKFoYCaAniDLwoIwulqAiB+rj7KMaMOMGxmUsjI7KheCXSNM8NzN+tuDw6AywI75A=="), // signed with release key
 			want:      testCfg,
 		},
 		"fail with invalid signature": {
@ -51,13 +49,10 @@ func TestFetchLatestAzureSEVSNPVersion(t *testing.T) {
 					signature: tc.signature,
 				},
 			}
 			require := require.New(t)
 			version, err := versionsapi.NewVersionFromShortPath("stream/debug/v9.9.9", versionsapi.VersionKindImage)
 			require.NoError(err)
 			fetcher := NewWithClient(client)
 			res, err := fetcher.FetchAzureSEVSNPVersionLatest(context.Background())
 			assert := assert.New(t)
 			res, err := fetcher.FetchAzureSEVSNPVersionLatest(context.Background(), version)
 			if tc.wantErr {
 				assert.Error(err)
 			} else {
--- a/internal/config/BUILD.bazel
+++ b/internal/config/BUILD.bazel
@ -53,7 +53,6 @@ go_test(
    embed = [":config"],
    deps = [
        "//internal/api/attestationconfig",
        "//internal/api/versions",
        "//internal/attestation/measurements",
        "//internal/cloud/cloudprovider",
        "//internal/config/instancetypes",
--- a/internal/config/azure.go
+++ b/internal/config/azure.go
@ -13,7 +13,6 @@ import (
 	configapi "github.com/edgelesssys/constellation/v2/internal/api/attestationconfig"
 	attestationconfigfetcher "github.com/edgelesssys/constellation/v2/internal/api/attestationconfig/fetcher"
 	versionsapi "github.com/edgelesssys/constellation/v2/internal/api/versions"
 	"github.com/edgelesssys/constellation/v2/internal/attestation/idkeydigest"
 	"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
@ -98,8 +97,8 @@ func (c AzureSEVSNP) EqualTo(old AttestationCfg) (bool, error) {
 }
 // FetchAndSetLatestVersionNumbers fetches the latest version numbers from the configapi and sets them.
-func (c *AzureSEVSNP) FetchAndSetLatestVersionNumbers(fetcher attestationconfigfetcher.AttestationConfigAPIFetcher, version versionsapi.Version) error {
+func (c *AzureSEVSNP) FetchAndSetLatestVersionNumbers(fetcher attestationconfigfetcher.AttestationConfigAPIFetcher) error {
-	versions, err := fetcher.FetchAzureSEVSNPVersionLatest(context.Background(), version)
+	versions, err := fetcher.FetchAzureSEVSNPVersionLatest(context.Background())
 	if err != nil {
 		return err
 	}
--- a/internal/config/config.go
+++ b/internal/config/config.go
@ -32,7 +32,6 @@ import (
 	en_translations "github.com/go-playground/validator/v10/translations/en"
 	attestationconfigfetcher "github.com/edgelesssys/constellation/v2/internal/api/attestationconfig/fetcher"
 	versionsapi "github.com/edgelesssys/constellation/v2/internal/api/versions"
 	"github.com/edgelesssys/constellation/v2/internal/attestation/idkeydigest"
 	"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
 	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
@ -393,11 +392,7 @@ func New(fileHandler file.Handler, name string, fetcher attestationconfigfetcher
 	}
 	if azure := c.Attestation.AzureSEVSNP; azure != nil {
-		version, err := versionsapi.NewVersionFromShortPath(c.Image, versionsapi.VersionKindImage)
+		if err := azure.FetchAndSetLatestVersionNumbers(fetcher); err != nil {
 		if err != nil {
 			return nil, err
 		}
 		if err := azure.FetchAndSetLatestVersionNumbers(fetcher, version); err != nil {
 			return c, err
 		}
 	}
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@ -22,7 +22,6 @@ import (
 	"gopkg.in/yaml.v3"
 	configapi "github.com/edgelesssys/constellation/v2/internal/api/attestationconfig"
 	versionsapi "github.com/edgelesssys/constellation/v2/internal/api/versions"
 	"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
 	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
 	"github.com/edgelesssys/constellation/v2/internal/config/instancetypes"
@ -886,13 +885,13 @@ func (f fakeConfigFetcher) FetchAzureSEVSNPVersionList(_ context.Context, _ conf
 	), nil
 }
-func (f fakeConfigFetcher) FetchAzureSEVSNPVersion(_ context.Context, _ configapi.AzureSEVSNPVersionGet, _ versionsapi.Version) (configapi.AzureSEVSNPVersionGet, error) {
+func (f fakeConfigFetcher) FetchAzureSEVSNPVersion(_ context.Context, _ configapi.AzureSEVSNPVersionGet) (configapi.AzureSEVSNPVersionGet, error) {
 	return configapi.AzureSEVSNPVersionGet{
 		AzureSEVSNPVersion: testCfg,
 	}, nil
 }
-func (f fakeConfigFetcher) FetchAzureSEVSNPVersionLatest(_ context.Context, _ versionsapi.Version) (configapi.AzureSEVSNPVersionGet, error) {
+func (f fakeConfigFetcher) FetchAzureSEVSNPVersionLatest(_ context.Context) (configapi.AzureSEVSNPVersionGet, error) {
 	return configapi.AzureSEVSNPVersionGet{
 		AzureSEVSNPVersion: testCfg,
 	}, nil