- NAME
-
- gcloud alpha container binauthz attestors public-keys add - add a public key to an Attestor
- SYNOPSIS
-
-
gcloud alpha container binauthz attestors public-keys add
--attestor
=ATTESTOR
(--pgp-public-key-file
=PATH_TO_FILE
| (--keyversion
=KEYVERSION
:--keyversion-key
=KEYVERSION_KEY
--keyversion-keyring
=KEYVERSION_KEYRING
--keyversion-location
=KEYVERSION_LOCATION
--keyversion-project
=KEYVERSION_PROJECT
) |--pkix-public-key-algorithm
=PKIX_PUBLIC_KEY_ALGORITHM
--pkix-public-key-file
=PATH_TO_FILE
) [--comment
=COMMENT
] [--public-key-id-override
=PUBLIC_KEY_ID_OVERRIDE
] [GCLOUD_WIDE_FLAG …
]
-
- EXAMPLES
-
To add a new KMS public key to an existing Attestor
my_attestor
:gcloud alpha container binauthz attestors public-keys add --attestor=my_attestor --keyversion-project=foo --keyversion-location=us-west1 --keyversion-keyring=aring --keyversion-key=akey --keyversion=1
To add a new PGP public key to an existing Attestor
my_attestor
:gcloud alpha container binauthz attestors public-keys add --attestor=my_attestor --pgp-public-key-file=my_key.pub
- REQUIRED FLAGS
-
-
Attestor resource - The attestor to which the public key should be added. This
represents a Cloud resource. (NOTE) Some attributes are not given arguments in
this group but can be set in other ways.
To set the
project
attribute:-
provide the argument
--attestor
on the command line with a fully specified name; -
provide the argument
--project
on the command line; -
set the property
core/project
.
This must be specified.
--attestor
=ATTESTOR
-
ID of the attestor or fully qualified identifier for the attestor.
To set the
name
attribute:-
provide the argument
--attestor
on the command line.
-
provide the argument
-
provide the argument
-
Exactly one of these must be specified:
-
PGP key definition
--pgp-public-key-file
=PATH_TO_FILE
- The path to the file containing the ASCII-armored PGP public key to add. Use a full or relative path to a local file containing the value of pgp_public_key_file.
-
Cloud KMS key definition
-
CryptoKeyVersion resource - The Cloud KMS (Key Management Service)
CryptoKeyVersion whose public key will be added to the attestor. The arguments
in this group can be used to specify the attributes of this resource.
This must be specified.
--keyversion
=KEYVERSION
-
ID of the CryptoKeyVersion or fully qualified identifier for the
CryptoKeyVersion.
To set the
version
attribute:-
provide the argument
--keyversion
on the command line.
This flag argument must be specified if any of the other arguments in this group are specified.
-
provide the argument
--keyversion-key
=KEYVERSION_KEY
-
The key of the CryptoKeyVersion.
To set the
key
attribute:-
provide the argument
--keyversion
on the command line with a fully specified name; -
provide the argument
--keyversion-key
on the command line.
-
provide the argument
--keyversion-keyring
=KEYVERSION_KEYRING
-
The keyring of the CryptoKeyVersion.
To set the
keyring
attribute:-
provide the argument
--keyversion
on the command line with a fully specified name; -
provide the argument
--keyversion-keyring
on the command line.
-
provide the argument
--keyversion-location
=KEYVERSION_LOCATION
-
The location of the CryptoKeyVersion.
To set the
location
attribute:-
provide the argument
--keyversion
on the command line with a fully specified name; -
provide the argument
--keyversion-location
on the command line.
-
provide the argument
--keyversion-project
=KEYVERSION_PROJECT
-
Project ID of the Google Cloud project for the CryptoKeyVersion.
To set the
project
attribute:-
provide the argument
--keyversion
on the command line with a fully specified name; -
provide the argument
--keyversion-project
on the command line; -
provide the argument
--project
on the command line; -
set the property
core/project
.
-
provide the argument
-
CryptoKeyVersion resource - The Cloud KMS (Key Management Service)
CryptoKeyVersion whose public key will be added to the attestor. The arguments
in this group can be used to specify the attributes of this resource.
-
PKIX key definition
--pkix-public-key-algorithm
=PKIX_PUBLIC_KEY_ALGORITHM
-
The signing algorithm of the associated key. This will be used to verify the
signatures associated with this key.
PKIX_PUBLIC_KEY_ALGORITHM
must be one of:ec-sign-p256-sha256
,ec-sign-p384-sha384
,ec-sign-p521-sha512
,ecdsa-p256-sha256
,ecdsa-p384-sha384
,ecdsa-p521-sha512
,rsa-pss-2048-sha256
,rsa-pss-3072-sha256
,rsa-pss-4096-sha256
,rsa-pss-4096-sha512
,rsa-sign-pkcs1-2048-sha256
,rsa-sign-pkcs1-3072-sha256
,rsa-sign-pkcs1-4096-sha256
,rsa-sign-pkcs1-4096-sha512
,rsa-sign-pss-2048-sha256
,rsa-sign-pss-3072-sha256
,rsa-sign-pss-4096-sha256
,rsa-sign-pss-4096-sha512
.This flag argument must be specified if any of the other arguments in this group are specified.
--pkix-public-key-file
=PATH_TO_FILE
-
The path to the file containing the PKIX public key to add. Use a full or
relative path to a local file containing the value of pkix_public_key_file.
This flag argument must be specified if any of the other arguments in this group are specified.
-
PGP key definition
-
Attestor resource - The attestor to which the public key should be added. This
represents a Cloud resource. (NOTE) Some attributes are not given arguments in
this group but can be set in other ways.
- OPTIONAL FLAGS
-
--comment
=COMMENT
- The comment describing the public key.
--public-key-id-override
=PUBLIC_KEY_ID_OVERRIDE
-
If provided, the ID to replace the default API-generated one. All IDs must be
valid URIs as defined by RFC 3986 (https://tools.ietf.org/html/rfc3986).
When creating Attestations to be verified by this key, one must always provide this custom ID as the public key ID.
- GCLOUD WIDE FLAGS
-
These flags are available to all commands:
--access-token-file
,--account
,--billing-project
,--configuration
,--flags-file
,--flatten
,--format
,--help
,--impersonate-service-account
,--log-http
,--project
,--quiet
,--trace-token
,--user-output-enabled
,--verbosity
.Run
$ gcloud help
for details. - NOTES
-
This command is currently in alpha and might change without notice. If this
command fails with API permission errors despite specifying the correct project,
you might be trying to access an API with an invitation-only early access
allowlist. These variants are also available:
gcloud container binauthz attestors public-keys add
gcloud beta container binauthz attestors public-keys add
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-07-30 UTC.