REST Resource: projects.attestors

Resource: Attestor

An attestor that attests to container image artifacts. An existing attestor cannot be modified except where indicated.

JSON representation
{
  "name": string,
  "description": string,
  "updateTime": string,
  "userOwnedDrydockNote": {
    object(UserOwnedDrydockNote)
  }
}
Fields
name

string

Required. The resource name, in the format: projects/*/attestors/*. This field may not be updated.

description

string

Optional. A descriptive comment. This field may be updated. The field may be displayed in chooser dialogs.

updateTime

string (Timestamp format)

Output only. Time when the attestor was last updated.

A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".

userOwnedDrydockNote

object(UserOwnedDrydockNote)

A Drydock ATTESTATION_AUTHORITY Note, created by the user.

UserOwnedDrydockNote

An user owned drydock note references a Drydock ATTESTATION_AUTHORITY Note created by the user.

JSON representation
{
  "noteReference": string,
  "publicKeys": [
    {
      object(AttestorPublicKey)
    }
  ],
  "delegationServiceAccountEmail": string
}
Fields
noteReference

string

Required. The Drydock resource name of a ATTESTATION_AUTHORITY Note, created by the user, in the format: projects/*/notes/* (or the legacy providers/*/notes/*). This field may not be updated.

An attestation by this attestor is stored as a Drydock ATTESTATION_AUTHORITY Occurrence that names a container image and that links to this Note. Drydock is an external dependency.

publicKeys[]

object(AttestorPublicKey)

Optional. Public keys that verify attestations signed by this attestor. This field may be updated.

If this field is non-empty, one of the specified public keys must verify that an attestation was signed by this attestor for the image specified in the admission request.

If this field is empty, this attestor always returns that no valid attestations exist.

delegationServiceAccountEmail

string

Output only. This field will contain the service account email address that this Attestor will use as the principal when querying Container Analysis. Attestor administrators must grant this service account the IAM role needed to read attestations from the [noteReference][Note] in Container Analysis (containeranalysis.notes.occurrences.viewer).

This email address is fixed for the lifetime of the Attestor, but callers should not make any other assumptions about the service account email; future versions may use an email based on a different naming pattern.

AttestorPublicKey

An attestator public key that will be used to verify attestations signed by this attestor.

JSON representation
{
  "comment": string,
  "id": string,
  "asciiArmoredPgpPublicKey": string
}
Fields
comment

string

Optional. A descriptive comment. This field may be updated.

id

string

Output only. This field will be overwritten with key ID information, for example, an identifier extracted from a PGP public key. This field may not be updated.

asciiArmoredPgpPublicKey

string

ASCII-armored representation of a PGP public key, as the entire output by the command gpg --export --armor foo@example.com (either LF or CRLF line endings).

Methods

create

Creates an attestor, and returns a copy of the new attestor.

delete

Deletes an attestor.

get

Gets an attestor.

getIamPolicy

Gets the access control policy for a resource.

list

Lists attestors.

setIamPolicy

Sets the access control policy on the specified resource.

testIamPermissions

Returns permissions that a caller has on the specified resource.

update

Updates an attestor.

Send feedback about...

Binary Authorization