1
0
Fork 0
mirror of https://github.com/imjasonh/gcloud-help synced 2026-07-16 20:36:39 +00:00
gcloud-help/gcloud/alpha/container/binauthz/attestations/create
2022-08-10 08:48:58 +00:00

111 lines
4.6 KiB
Text

NAME
gcloud alpha container binauthz attestations create - create a Binary
Authorization attestation
SYNOPSIS
gcloud alpha container binauthz attestations create
--artifact-url=ARTIFACT_URL --public-key-id=PUBLIC_KEY_ID
--signature-file=SIGNATURE_FILE
(--attestor=ATTESTOR : --attestor-project=ATTESTOR_PROJECT)
[--payload-file=PAYLOAD_FILE] [--validate] [GCLOUD_WIDE_FLAG ...]
DESCRIPTION
(ALPHA) This command creates a Binary Authorization attestation for your
project. The attestation is created for the specified artifact (e.g. a
gcr.io container URL), associate with the specified attestor, and stored
under the specified project.
EXAMPLES
To create an attestation in the project "my_proj" as the attestor with
resource path "projects/foo/attestors/bar", run:
$ gcloud alpha container binauthz attestations create \
--project=my_proj \
--artifact-url='gcr.io/example-project/example-image@sha256:abcd\
' --attestor=projects/foo/attestors/bar \
--signature-file=signed_artifact_attestation.pgp.sig \
--public-key-id=AAAA0000000000000000FFFFFFFFFFFFFFFFFFFF
REQUIRED FLAGS
--artifact-url=ARTIFACT_URL
Container URL. May be in the gcr.io/repository/image format, or may
optionally contain the http or https scheme
--public-key-id=PUBLIC_KEY_ID
The ID of the public key that will be used to verify the signature of
the created Attestation. This ID must match the one found on the
Attestor resource(s) which will verify this Attestation.
For PKIX keys, this will be the URI-formatted id field of the
associated Attestor public key.
For PGP keys, this must be the version 4, full 160-bit fingerprint,
expressed as a 40 character hexadecimal string. See
https://tools.ietf.org/html/rfc4880#section-12.2 for details.
--signature-file=SIGNATURE_FILE
Path to file containing the signature to store, or - to read signature
from stdin.
Attestor resource - The Attestor whose Container Analysis Note will be
used to host the created attestation. In order to successfully attach the
attestation, the active gcloud account (core/account) must be able to read
this attestor and must have the containeranalysis.notes.attachOccurrence
permission for the Attestor's underlying Note resource (usually via the
containeranalysis.notes.attacher role). The arguments in this group can be
used to specify the attributes of this resource.
This must be specified.
--attestor=ATTESTOR
ID of the attestor or fully qualified identifier for the attestor. To
set the name attribute:
▸ provide the argument --attestor on the command line.
This flag argument must be specified if any of the other arguments in
this group are specified.
--attestor-project=ATTESTOR_PROJECT
Project ID of the Google Cloud project for the attestor. To set the
project attribute:
▸ provide the argument --attestor on the command line with a fully
specified name;
▸ provide the argument --attestor-project on the command line;
▸ provide the argument --project on the command line;
▸ set the property core/project.
OPTIONAL FLAGS
--payload-file=PAYLOAD_FILE
Path to file containing the payload over which the signature was
calculated.
This defaults to the output of the standard payload command:
$ gcloud alpha container binauthz create-signature-payload
NOTE: If you sign a payload with e.g. different whitespace or
formatting, you must explicitly provide the payload content via this
flag.
--validate
Whether to validate that the Attestation can be verified by the
provided Attestor.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account,
--billing-project, --configuration, --flags-file, --flatten, --format,
--help, --impersonate-service-account, --log-http, --project, --quiet,
--trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
NOTES
This command is currently in alpha and might change without notice. If this
command fails with API permission errors despite specifying the correct
project, you might be trying to access an API with an invitation-only early
access allowlist. These variants are also available:
$ gcloud container binauthz attestations create
$ gcloud beta container binauthz attestations create