gcloud_alpha_container_binauthz_attestations

gcloud_alpha_container_binauthz_attestations_create (1)

NAME

: gcloud alpha container binauthz attestations create - create a Binary Authorization attestation

SYNOPSIS

gcloud alpha container binauthz attestations create --artifact-url=ARTIFACT_URL --pgp-key-fingerprint=PGP_KEY_FINGERPRINT --signature-file=SIGNATURE_FILE (--attestor=ATTESTOR : --attestor-project=ATTESTOR_PROJECT) [GCLOUD_WIDE_FLAG ...]

DESCRIPTION

(ALPHA) This command creates a Binary Authorization attestation for your

project. The attestation is created for the specified artifact (e.g. a grc.io container URL), associate with the specified attestor, and stored under the specified project.

REQUIRED FLAGS

--artifact-url=ARTIFACT_URL

Container URL. May be in the .gcr.io/repository/image format, or may optionally contain the http or https scheme

--pgp-key-fingerprint=PGP_KEY_FINGERPRINT

The cryptographic ID of the key used to generate the signature. For Binary Authorization, this must be the version 4, full 160-bit fingerprint, expressed as a 40 character hexidecimal string. See tools.ietf.org/html/rfc4880#section-12.2 for details.

--signature-file=SIGNATURE_FILE

Path to file containing the signature to store, or - to read signature from stdin.

Attestor resource - The Attestor whose Container Analysis Note will be used to host the created attestation. In order to successfully attach the attestation, the active gcloud account (core/account) must be able to read this attestor and must have the containeranalysis.notes.attachOccurrence permission for the Attestor's underlying Note resource (usually via the containeranalysis.notes.attacher role). The arguments in this group can be used to specify the attributes of this resource. This must be specified.

--attestor=ATTESTOR: ID of the attestor or fully qualified identifier for the attestor. This flag must be specified if any of the other arguments in this group are specified.
--attestor-project=ATTESTOR_PROJECT: The Cloud project for the attestor.

GCLOUD WIDE FLAGS

These flags are available to all commands: --account, --configuration, --flags-file, --flatten, --format, --help, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity. Run $ gcloud help for details.

EXAMPLES

To create an attestation in the project "my_proj" as the attestor with resource path "projects/foo/attestors/bar", run:

: $ gcloud alpha container binauthz attestations create \
    --project=my_proj \
    --artifact-url='gcr.io/example-project/example-image@sha256:abcd' \
    --attestor=projects/foo/attestors/bar \
    --signature-file=signed_artifact_attestation.pgp.sig \
    --pgp-key-fingerprint=AAAA0000000000000000FFFFFFFFFFFFFFFFFFFF

NOTES

This command is currently in ALPHA and may change without notice. If this command fails with API permission errors despite specifying the right project, you will have to apply for early access and have your projects registered on the API whitelist to use it. To do so, contact Support at cloud.google.com/support This variant is also available:

: $ gcloud beta container binauthz attestations create

gcloud_alpha_container_binauthz_attestations_create • man page

gcloud_alpha_container_binauthz_attestations_create • man page