mirror of
https://github.com/imjasonh/gcloud-help
synced 2026-07-13 08:27:05 +00:00
147 lines
6.1 KiB
Text
147 lines
6.1 KiB
Text
NAME
|
|
gcloud beta container binauthz attestations create - create a Binary
|
|
Authorization attestation
|
|
|
|
SYNOPSIS
|
|
gcloud beta container binauthz attestations create
|
|
--artifact-url=ARTIFACT_URL --public-key-id=PUBLIC_KEY_ID
|
|
--signature-file=SIGNATURE_FILE [--payload-file=PAYLOAD_FILE]
|
|
[[--note=NOTE : --note-project=NOTE_PROJECT]
|
|
| --validate [--attestor=ATTESTOR
|
|
: --attestor-project=ATTESTOR_PROJECT]] [GCLOUD_WIDE_FLAG ...]
|
|
|
|
DESCRIPTION
|
|
(BETA) This command creates a Binary Authorization attestation for your
|
|
project. The attestation is created for the specified artifact (e.g. a
|
|
gcr.io container URL), associate with the specified attestor, and stored
|
|
under the specified project.
|
|
|
|
EXAMPLES
|
|
To create an attestation in the project "my_proj" as the attestor with
|
|
resource path "projects/foo/attestors/bar", run:
|
|
|
|
$ gcloud beta container binauthz attestations create \
|
|
--project=my_proj \
|
|
--artifact-url=gcr.io/example-project/\
|
|
example-image@sha256:abcd --attestor=projects/foo/attestors/bar \
|
|
--signature-file=signed_artifact_attestation.pgp.sig \
|
|
--public-key-id=AAAA0000000000000000FFFFFFFFFFFFFFFFFFFF
|
|
|
|
To create an attestation in the project "my_proj" in note
|
|
"projects/foo/notes/bar", run:
|
|
|
|
$ gcloud beta container binauthz attestations create \
|
|
--project=my_proj \
|
|
--artifact-url='gcr.io/example-project/example-image@sha256:abcd\
|
|
' --note=projects/foo/notes/bar \
|
|
--signature-file=signed_artifact_attestation.pgp.sig \
|
|
--public-key-id=AAAA0000000000000000FFFFFFFFFFFFFFFFFFFF
|
|
|
|
REQUIRED FLAGS
|
|
--artifact-url=ARTIFACT_URL
|
|
Container URL. May be in the gcr.io/repository/image format, or may
|
|
optionally contain the http or https scheme
|
|
|
|
--public-key-id=PUBLIC_KEY_ID
|
|
The ID of the public key that will be used to verify the signature of
|
|
the created Attestation. This ID must match the one found on the
|
|
Attestor resource(s) which will verify this Attestation.
|
|
|
|
For PKIX keys, this will be the URI-formatted id field of the
|
|
associated Attestor public key.
|
|
|
|
For PGP keys, this must be the version 4, full 160-bit fingerprint,
|
|
expressed as a 40 character hexadecimal string. See
|
|
https://tools.ietf.org/html/rfc4880#section-12.2 for details.
|
|
|
|
--signature-file=SIGNATURE_FILE
|
|
Path to file containing the signature to store, or - to read signature
|
|
from stdin.
|
|
|
|
OPTIONAL FLAGS
|
|
--payload-file=PAYLOAD_FILE
|
|
Path to file containing the payload over which the signature was
|
|
calculated.
|
|
|
|
This defaults to the output of the standard payload command:
|
|
|
|
$ gcloud beta container binauthz create-signature-payload
|
|
|
|
NOTE: If you sign a payload with e.g. different whitespace or
|
|
formatting, you must explicitly provide the payload content via this
|
|
flag.
|
|
|
|
At most one of these can be specified:
|
|
|
|
Note resource - The Container Analysis Note which will be used to host
|
|
the created attestation. In order to successfully attach the
|
|
attestation, the active gcloud account (core/account) must have the
|
|
containeranalysis.notes.attachOccurrence permission for the Note
|
|
(usually via the containeranalysis.notes.attacher role). The arguments
|
|
in this group can be used to specify the attributes of this resource.
|
|
|
|
--note=NOTE
|
|
ID of the note or fully qualified identifier for the note.
|
|
|
|
To set the note attribute:
|
|
▫ provide the argument --note on the command line.
|
|
|
|
This flag argument must be specified if any of the other arguments
|
|
in this group are specified.
|
|
|
|
--note-project=NOTE_PROJECT
|
|
The Container Analysis project for the note.
|
|
|
|
To set the project attribute:
|
|
▫ provide the argument --note on the command line with a fully
|
|
specified name;
|
|
▫ provide the argument --note-project on the command line.
|
|
|
|
--validate
|
|
Whether to validate that the Attestation can be verified by the
|
|
provided Attestor.
|
|
|
|
Attestor resource - The Attestor whose Container Analysis Note will be
|
|
used to host the created attestation. In order to successfully attach
|
|
the attestation, the active gcloud account (core/account) must be able
|
|
to read this attestor and must have the
|
|
containeranalysis.notes.attachOccurrence permission for the Attestor's
|
|
underlying Note resource (usually via the
|
|
containeranalysis.notes.attacher role). The arguments in this group can
|
|
be used to specify the attributes of this resource.
|
|
|
|
--attestor=ATTESTOR
|
|
ID of the attestor or fully qualified identifier for the attestor.
|
|
|
|
To set the name attribute:
|
|
▫ provide the argument --attestor on the command line.
|
|
|
|
This flag argument must be specified if any of the other arguments
|
|
in this group are specified.
|
|
|
|
--attestor-project=ATTESTOR_PROJECT
|
|
Project ID of the Google Cloud project for the attestor.
|
|
|
|
To set the project attribute:
|
|
▫ provide the argument --attestor on the command line with a
|
|
fully specified name;
|
|
▫ provide the argument --attestor-project on the command line;
|
|
▫ provide the argument --project on the command line;
|
|
▫ set the property core/project.
|
|
|
|
GCLOUD WIDE FLAGS
|
|
These flags are available to all commands: --access-token-file, --account,
|
|
--billing-project, --configuration, --flags-file, --flatten, --format,
|
|
--help, --impersonate-service-account, --log-http, --project, --quiet,
|
|
--trace-token, --user-output-enabled, --verbosity.
|
|
|
|
Run $ gcloud help for details.
|
|
|
|
NOTES
|
|
This command is currently in beta and might change without notice. These
|
|
variants are also available:
|
|
|
|
$ gcloud container binauthz attestations create
|
|
|
|
$ gcloud alpha container binauthz attestations create
|
|
|