REST Resource: projects.attestors

Stay organized with collections Save and categorize content based on your preferences.

Resource: Attestor

An attestor that attests to container image artifacts. An existing attestor cannot be modified except where indicated.

JSON representation 
{
  "name": string,
  "description": string,
  "updateTime": string,
  "etag": string,

  // Union field attestor_type can be only one of the following:
  "userOwnedGrafeasNote": {
    object (UserOwnedGrafeasNote)
  }
  // End of list of possible types for union field attestor_type.
}
Fields
name

string

Required. The resource name, in the format: projects/*/attestors/*. This field may not be updated.
description

string

Optional. A descriptive comment. This field may be updated. The field may be displayed in chooser dialogs.
updateTime

string (Timestamp format)

Output only. Time when the attestor was last updated.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
etag

string

Optional. A checksum, returned by the server, that can be sent on update requests to ensure the attestor has an up-to-date value before attempting to update it. See https://google.aip.dev/154.

Union field attestor_type.

attestor_type can be only one of the following:
userOwnedGrafeasNote

object (UserOwnedGrafeasNote)

This specifies how an attestation will be read, and how it will be used during policy enforcement.

UserOwnedGrafeasNote

An user owned Grafeas note references a Grafeas Attestation.Authority Note created by the user.

JSON representation 
{
  "noteReference": string,
  "publicKeys": [
    {
      object (AttestorPublicKey)
    }
  ],
  "delegationServiceAccountEmail": string
}
Fields
noteReference

string

Required. The Grafeas resource name of a Attestation.Authority Note, created by the user, in the format: projects/*/notes/*. This field may not be updated.

An attestation by this attestor is stored as a Grafeas Attestation.Authority Occurrence that names a container image and that links to this Note. Grafeas is an external dependency.
publicKeys[]

object (AttestorPublicKey)

Optional. Public keys that verify attestations signed by this attestor. This field may be updated.

If this field is non-empty, one of the specified public keys must verify that an attestation was signed by this attestor for the image specified in the admission request.

If this field is empty, this attestor always returns that no valid attestations exist.
delegationServiceAccountEmail

string

Output only. This field will contain the service account email address that this Attestor will use as the principal when querying Container Analysis. Attestor administrators must grant this service account the IAM role needed to read attestations from the [noteReference][Note] in Container Analysis (containeranalysis.notes.occurrences.viewer).

This email address is fixed for the lifetime of the Attestor, but callers should not make any other assumptions about the service account email; future versions may use an email based on a different naming pattern.

AttestorPublicKey

An attestor public key that will be used to verify attestations signed by this attestor.

JSON representation 
{
  "comment": string,
  "id": string,

  // Union field public_key can be only one of the following:
  "asciiArmoredPgpPublicKey": string,
  "pkixPublicKey": {
    object (PkixPublicKey)
  }
  // End of list of possible types for union field public_key.
}
Fields
comment

string

Optional. A descriptive comment. This field may be updated.
id

string

The ID of this public key. Signatures verified by BinAuthz must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. Additional restrictions on this field can be imposed based on which public key type is encapsulated. See the documentation on publicKey cases below for details.

Union field public_key.

public_key can be only one of the following:
asciiArmoredPgpPublicKey

string

ASCII-armored representation of a PGP public key, as the entire output by the command gpg --export --armor foo@example.com (either LF or CRLF line endings). When using this field, id should be left blank. The BinAuthz API handlers will calculate the ID and fill it in automatically. BinAuthz computes this ID as the OpenPGP RFC4880 V4 fingerprint, represented as upper-case hex. If id is provided by the caller, it will be overwritten by the API-calculated ID.
pkixPublicKey

object (PkixPublicKey)

A raw PKIX SubjectPublicKeyInfo format public key.

NOTE: id may be explicitly provided by the caller when using this type of public key, but it MUST be a valid RFC3986 URI. If id is left blank, a default one will be computed based on the digest of the DER encoding of the public key.

PkixPublicKey

A public key in the PkixPublicKey format (see https://tools.ietf.org/html/rfc5280#section-4.1.2.7 for details). Public keys of this type are typically textually encoded using the PEM format.

JSON representation 
{
  "publicKeyPem": string,
  "signatureAlgorithm": enum (SignatureAlgorithm)
}
Fields
publicKeyPem

string

A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
signatureAlgorithm

enum (SignatureAlgorithm)

The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in publicKeyPem (i.e. this algorithm must match that of the public key).

SignatureAlgorithm

Represents a signature algorithm and other information necessary to verify signatures with a given public key. This is based primarily on the public key types supported by Tink's PemKeyType, which is in turn based on KMS's supported signing algorithms. See https://cloud.google.com/kms/docs/algorithms. In the future, BinAuthz might support additional public key types independently of Tink and/or KMS.

Enums
SIGNATURE_ALGORITHM_UNSPECIFIED Not specified.
RSA_PSS_2048_SHA256 RSASSA-PSS 2048 bit key with a SHA256 digest.
RSA_SIGN_PSS_2048_SHA256 RSASSA-PSS 2048 bit key with a SHA256 digest.
RSA_PSS_3072_SHA256 RSASSA-PSS 3072 bit key with a SHA256 digest.
RSA_SIGN_PSS_3072_SHA256 RSASSA-PSS 3072 bit key with a SHA256 digest.
RSA_PSS_4096_SHA256 RSASSA-PSS 4096 bit key with a SHA256 digest.
RSA_SIGN_PSS_4096_SHA256 RSASSA-PSS 4096 bit key with a SHA256 digest.
RSA_PSS_4096_SHA512 RSASSA-PSS 4096 bit key with a SHA512 digest.
RSA_SIGN_PSS_4096_SHA512 RSASSA-PSS 4096 bit key with a SHA512 digest.
RSA_SIGN_PKCS1_2048_SHA256 RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
RSA_SIGN_PKCS1_3072_SHA256 RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
RSA_SIGN_PKCS1_4096_SHA256 RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
RSA_SIGN_PKCS1_4096_SHA512 RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
ECDSA_P256_SHA256 ECDSA on the NIST P-256 curve with a SHA256 digest.
EC_SIGN_P256_SHA256 ECDSA on the NIST P-256 curve with a SHA256 digest.
ECDSA_P384_SHA384 ECDSA on the NIST P-384 curve with a SHA384 digest.
EC_SIGN_P384_SHA384 ECDSA on the NIST P-384 curve with a SHA384 digest.
ECDSA_P521_SHA512 ECDSA on the NIST P-521 curve with a SHA512 digest.
EC_SIGN_P521_SHA512 ECDSA on the NIST P-521 curve with a SHA512 digest.

Methods

create

 Creates an attestor, and returns a copy of the new attestor.

delete

 Deletes an attestor.

get

 Gets an attestor.

getIamPolicy

 Gets the access control policy for a resource.

list

 Lists attestors.

setIamPolicy

 Sets the access control policy on the specified resource.

testIamPermissions

 Returns permissions that a caller has on the specified resource.

update

 Updates an attestor.

validateAttestationOccurrence

 Returns whether the given Attestation for the given image URI was signed by the given Attestor