- NAME
-
- gcloud container binauthz attestations create - create a Binary Authorization attestation
- SYNOPSIS
-
-
gcloud container binauthz attestations create
--artifact-url
=ARTIFACT_URL
--public-key-id
=PUBLIC_KEY_ID
--signature-file
=SIGNATURE_FILE
[--payload-file
=PAYLOAD_FILE
] [[--note
=NOTE
:--note-project
=NOTE_PROJECT
] |--validate
[--attestor
=ATTESTOR
:--attestor-project
=ATTESTOR_PROJECT
]] [GCLOUD_WIDE_FLAG …
]
-
- DESCRIPTION
- This command creates a Binary Authorization attestation for your project. The attestation is created for the specified artifact (e.g. a gcr.io container URL), associate with the specified attestor, and stored under the specified project.
- EXAMPLES
-
To create an attestation in the project "my_proj" as the attestor with resource
path "projects/foo/attestors/bar", run:
gcloud container binauthz attestations create --project=my_proj --artifact-url='gcr.io/example-project/example-image@sha256:abcd' --attestor=projects/foo/attestors/bar --signature-file=signed_artifact_attestation.pgp.sig --public-key-id=AAAA0000000000000000FFFFFFFFFFFFFFFFFFFF
To create an attestation in the project "my_proj" in note "projects/foo/notes/bar", run:
gcloud container binauthz attestations create --project=my_proj --artifact-url='gcr.io/example-project/example-image@sha256:abcd' --note=projects/foo/notes/bar --signature-file=signed_artifact_attestation.pgp.sig --public-key-id=AAAA0000000000000000FFFFFFFFFFFFFFFFFFFF
- REQUIRED FLAGS
-
--artifact-url
=ARTIFACT_URL
-
Container URL. May be in the
gcr.io/repository/image
format, or may optionally contain thehttp
orhttps
scheme --public-key-id
=PUBLIC_KEY_ID
-
The ID of the public key that will be used to verify the signature of the
created Attestation. This ID must match the one found on the Attestor
resource(s) which will verify this Attestation.
For PGP keys, this must be the version 4, full 160-bit fingerprint, expressed as a 40 character hexadecimal string. See https://tools.ietf.org/html/rfc4880#section-12.2 for details.
--signature-file
=SIGNATURE_FILE
-
Path to file containing the signature to store, or
-
to read signature from stdin.
- OPTIONAL FLAGS
-
--payload-file
=PAYLOAD_FILE
-
Path to file containing the payload over which the signature was calculated.
This defaults to the output of the standard payload command:
gcloud container binauthz create-signature-payload
NOTE: If you sign a payload with e.g. different whitespace or formatting, you must explicitly provide the payload content via this flag.
-
At most one of these can be specified:
-
Note resource - The Container Analysis Note which will be used to host the
created attestation. In order to successfully attach the attestation, the active
gcloud account (core/account) must have the
containeranalysis.notes.attachOccurrence
permission for the Note (usually via thecontaineranalysis.notes.attacher
role). The arguments in this group can be used to specify the attributes of this resource.--note
=NOTE
-
ID of the note or fully qualified identifier for the note.
To set the
note
attribute:-
provide the argument
--note
on the command line.
This flag argument must be specified if any of the other arguments in this group are specified.
-
provide the argument
--note-project
=NOTE_PROJECT
-
The Container Analysis project for the note.
To set the
project
attribute:-
provide the argument
--note
on the command line with a fully specified name; -
provide the argument
--note-project
on the command line.
-
provide the argument
--validate
- Whether to validate that the Attestation can be verified by the provided Attestor.
-
Attestor resource - The Attestor whose Container Analysis Note will be used to
host the created attestation. In order to successfully attach the attestation,
the active gcloud account (core/account) must be able to read this attestor and
must have the
containeranalysis.notes.attachOccurrence
permission for the Attestor's underlying Note resource (usually via thecontaineranalysis.notes.attacher
role). The arguments in this group can be used to specify the attributes of this resource.--attestor
=ATTESTOR
-
ID of the attestor or fully qualified identifier for the attestor.
To set the
name
attribute:-
provide the argument
--attestor
on the command line.
This flag argument must be specified if any of the other arguments in this group are specified.
-
provide the argument
--attestor-project
=ATTESTOR_PROJECT
-
Project ID of the Google Cloud project for the attestor.
To set the
project
attribute:-
provide the argument
--attestor
on the command line with a fully specified name; -
provide the argument
--attestor-project
on the command line; -
provide the argument
--project
on the command line; -
set the property
core/project
.
-
provide the argument
-
Note resource - The Container Analysis Note which will be used to host the
created attestation. In order to successfully attach the attestation, the active
gcloud account (core/account) must have the
- GCLOUD WIDE FLAGS
-
These flags are available to all commands:
--access-token-file
,--account
,--billing-project
,--configuration
,--flags-file
,--flatten
,--format
,--help
,--impersonate-service-account
,--log-http
,--project
,--quiet
,--trace-token
,--user-output-enabled
,--verbosity
.Run
$ gcloud help
for details. - NOTES
-
These variants are also available:
gcloud alpha container binauthz attestations create
gcloud beta container binauthz attestations create
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-02-06 UTC.