mirror of
https://github.com/imjasonh/gcloud-help
synced 2026-07-16 20:36:39 +00:00
111 lines
4.6 KiB
Text
111 lines
4.6 KiB
Text
NAME
|
|
gcloud alpha container binauthz attestations create - create a Binary
|
|
Authorization attestation
|
|
|
|
SYNOPSIS
|
|
gcloud alpha container binauthz attestations create
|
|
--artifact-url=ARTIFACT_URL --public-key-id=PUBLIC_KEY_ID
|
|
--signature-file=SIGNATURE_FILE
|
|
(--attestor=ATTESTOR : --attestor-project=ATTESTOR_PROJECT)
|
|
[--payload-file=PAYLOAD_FILE] [--validate] [GCLOUD_WIDE_FLAG ...]
|
|
|
|
DESCRIPTION
|
|
(ALPHA) This command creates a Binary Authorization attestation for your
|
|
project. The attestation is created for the specified artifact (e.g. a
|
|
gcr.io container URL), associate with the specified attestor, and stored
|
|
under the specified project.
|
|
|
|
EXAMPLES
|
|
To create an attestation in the project "my_proj" as the attestor with
|
|
resource path "projects/foo/attestors/bar", run:
|
|
|
|
$ gcloud alpha container binauthz attestations create \
|
|
--project=my_proj \
|
|
--artifact-url='gcr.io/example-project/example-image@sha256:abcd\
|
|
' --attestor=projects/foo/attestors/bar \
|
|
--signature-file=signed_artifact_attestation.pgp.sig \
|
|
--public-key-id=AAAA0000000000000000FFFFFFFFFFFFFFFFFFFF
|
|
|
|
REQUIRED FLAGS
|
|
--artifact-url=ARTIFACT_URL
|
|
Container URL. May be in the gcr.io/repository/image format, or may
|
|
optionally contain the http or https scheme
|
|
|
|
--public-key-id=PUBLIC_KEY_ID
|
|
The ID of the public key that will be used to verify the signature of
|
|
the created Attestation. This ID must match the one found on the
|
|
Attestor resource(s) which will verify this Attestation.
|
|
|
|
For PKIX keys, this will be the URI-formatted id field of the
|
|
associated Attestor public key.
|
|
|
|
For PGP keys, this must be the version 4, full 160-bit fingerprint,
|
|
expressed as a 40 character hexadecimal string. See
|
|
https://tools.ietf.org/html/rfc4880#section-12.2 for details.
|
|
|
|
--signature-file=SIGNATURE_FILE
|
|
Path to file containing the signature to store, or - to read signature
|
|
from stdin.
|
|
|
|
Attestor resource - The Attestor whose Container Analysis Note will be
|
|
used to host the created attestation. In order to successfully attach the
|
|
attestation, the active gcloud account (core/account) must be able to read
|
|
this attestor and must have the containeranalysis.notes.attachOccurrence
|
|
permission for the Attestor's underlying Note resource (usually via the
|
|
containeranalysis.notes.attacher role). The arguments in this group can be
|
|
used to specify the attributes of this resource.
|
|
|
|
This must be specified.
|
|
|
|
--attestor=ATTESTOR
|
|
ID of the attestor or fully qualified identifier for the attestor. To
|
|
set the name attribute:
|
|
▸ provide the argument --attestor on the command line.
|
|
|
|
This flag argument must be specified if any of the other arguments in
|
|
this group are specified.
|
|
|
|
--attestor-project=ATTESTOR_PROJECT
|
|
Project ID of the Google Cloud project for the attestor. To set the
|
|
project attribute:
|
|
▸ provide the argument --attestor on the command line with a fully
|
|
specified name;
|
|
▸ provide the argument --attestor-project on the command line;
|
|
▸ provide the argument --project on the command line;
|
|
▸ set the property core/project.
|
|
|
|
OPTIONAL FLAGS
|
|
--payload-file=PAYLOAD_FILE
|
|
Path to file containing the payload over which the signature was
|
|
calculated.
|
|
|
|
This defaults to the output of the standard payload command:
|
|
|
|
$ gcloud alpha container binauthz create-signature-payload
|
|
|
|
NOTE: If you sign a payload with e.g. different whitespace or
|
|
formatting, you must explicitly provide the payload content via this
|
|
flag.
|
|
|
|
--validate
|
|
Whether to validate that the Attestation can be verified by the
|
|
provided Attestor.
|
|
|
|
GCLOUD WIDE FLAGS
|
|
These flags are available to all commands: --access-token-file, --account,
|
|
--billing-project, --configuration, --flags-file, --flatten, --format,
|
|
--help, --impersonate-service-account, --log-http, --project, --quiet,
|
|
--trace-token, --user-output-enabled, --verbosity.
|
|
|
|
Run $ gcloud help for details.
|
|
|
|
NOTES
|
|
This command is currently in alpha and might change without notice. If this
|
|
command fails with API permission errors despite specifying the correct
|
|
project, you might be trying to access an API with an invitation-only early
|
|
access allowlist. These variants are also available:
|
|
|
|
$ gcloud container binauthz attestations create
|
|
|
|
$ gcloud beta container binauthz attestations create
|
|
|