gcloud alpha container binauthz attestations sign-and-create
- NAME
- gcloud alpha container binauthz attestations sign-and-create - sign and create a Binary Authorization Attestation using a Cloud KMS key
- SYNOPSIS
gcloud alpha container binauthz attestations sign-and-create--artifact-url=ARTIFACT_URL(--keyversion=KEYVERSION:--keyversion-key=KEYVERSION_KEY--keyversion-keyring=KEYVERSION_KEYRING--keyversion-location=KEYVERSION_LOCATION--keyversion-project=KEYVERSION_PROJECT)[--dsse-type=DSSE_TYPE; default="application/vnd.dev.cosign.simplesigning.v1+json"][--pae-encode-payload][--public-key-id-override=PUBLIC_KEY_ID_OVERRIDE][[--note=NOTE:--note-project=NOTE_PROJECT] |--validate[--attestor=ATTESTOR:--attestor-project=ATTESTOR_PROJECT]][GCLOUD_WIDE_FLAG …]
- DESCRIPTION
(ALPHA)This command signs and creates a Binary Authorizationattestation for your project. The attestation is created for the specifiedartifact (e.g. a gcr.io container URL), associate with the specified attestor,and stored under the specified project.- EXAMPLES
- To sign and create an attestation in the project "my_proj" as the attestor withresource path "projects/foo/attestors/bar" with the key"projects/foo/locations/us-west1/keyRings/aring/cryptoKeys/akey/cryptoKeyVersions/1",run:
gcloudalphacontainerbinauthzattestationssign-and-create--project=my_proj--artifact-url='gcr.io/example-project/example-image@sha256:abcd'--attestor=projects/foo/attestors/bar--keyversion-project=foo--keyversion-location=us-west1--keyversion-keyring=aring--keyversion-key=akey--keyversion=1To sign and create an attestation in the project "my_proj" in note "bar" withthe key"projects/foo/locations/us-west1/keyRings/aring/cryptoKeys/akey/cryptoKeyVersions/1",run:
gcloudalphacontainerbinauthzattestationssign-and-create--project=my_proj--artifact-url='gcr.io/example-project/example-image@sha256:abcd'--note=projects/my_proj/notes/bar--keyversion-project=foo--keyversion-location=us-west1--keyversion-keyring=aring--keyversion-key=akey--keyversion=1 - REQUIRED FLAGS
--artifact-url=ARTIFACT_URL- Container URL. May be in the
gcr.io/repository/imageformat, or mayoptionally contain thehttporhttpsscheme - CryptoKeyVersion resource - The Cloud KMS (Key Management Service)CryptoKeyVersion to use to sign the attestation payload. The arguments in thisgroup can be used to specify the attributes of this resource.
This must be specified.
--keyversion=KEYVERSION- ID of the CryptoKeyVersion or fully qualified identifier for theCryptoKeyVersion.
To set the
versionattribute:- provide the argument
--keyversionon the command line.
This flag argument must be specified if any of the other arguments in this groupare specified.
- provide the argument
--keyversion-key=KEYVERSION_KEY- The key of the CryptoKeyVersion.
To set the
keyattribute:- provide the argument
--keyversionon the command line with a fullyspecified name; - provide the argument
--keyversion-keyon the command line.
- provide the argument
--keyversion-keyring=KEYVERSION_KEYRING- The keyring of the CryptoKeyVersion.
To set the
keyringattribute:- provide the argument
--keyversionon the command line with a fullyspecified name; - provide the argument
--keyversion-keyringon the command line.
- provide the argument
--keyversion-location=KEYVERSION_LOCATION- The location of the CryptoKeyVersion.
To set the
locationattribute:- provide the argument
--keyversionon the command line with a fullyspecified name; - provide the argument
--keyversion-locationon the command line.
- provide the argument
--keyversion-project=KEYVERSION_PROJECT- Project ID of the Google Cloud project for the CryptoKeyVersion.
To set the
projectattribute:- provide the argument
--keyversionon the command line with a fullyspecified name; - provide the argument
--keyversion-projecton the command line; - provide the argument
--projecton the command line; - set the property
core/project.
- provide the argument
- OPTIONAL FLAGS
--dsse-type=DSSE_TYPE; default="application/vnd.dev.cosign.simplesigning.v1+json"- DSSE type used for pae encoding.
--pae-encode-payload- Whether to pae-encode the payload before signing.
--public-key-id-override=PUBLIC_KEY_ID_OVERRIDE- If provided, the ID of the public key that will be used to verify theAttestation instead of the default generated one. This ID should match the onefound on the Attestor resource(s) which will use this Attestation.
This parameter is only necessary if the
--public-key-id-overrideflag was provided when this KMS key was added to the Attestor. - At most one of these can be specified:
- Note resource - The Container Analysis Note which will be used to host thecreated attestation. In order to successfully attach the attestation, the activegcloud account (core/account) must have the
containeranalysis.notes.attachOccurrencepermission for the Note(usually via thecontaineranalysis.notes.attacherrole). Thearguments in this group can be used to specify the attributes of this resource. --note=NOTE- ID of the note or fully qualified identifier for the note.
To set the
noteattribute:- provide the argument
--noteon the command line.
This flag argument must be specified if any of the other arguments in this groupare specified.
- provide the argument
--note-project=NOTE_PROJECT- The Container Analysis project for the note.
To set the
projectattribute:- provide the argument
--noteon the command line with a fullyspecified name; - provide the argument
--note-projecton the command line.
- provide the argument
--validate- Whether to validate that the Attestation can be verified by the providedAttestor.
- Attestor resource - The Attestor whose Container Analysis Note will be used tohost the created attestation. In order to successfully attach the attestation,the active gcloud account (core/account) must be able to read this attestor andmust have the
containeranalysis.notes.attachOccurrencepermissionfor the Attestor's underlying Note resource (usually via thecontaineranalysis.notes.attacherrole). The arguments in this groupcan be used to specify the attributes of this resource. --attestor=ATTESTOR- ID of the attestor or fully qualified identifier for the attestor.
To set the
nameattribute:- provide the argument
--attestoron the command line.
This flag argument must be specified if any of the other arguments in this groupare specified.
- provide the argument
--attestor-project=ATTESTOR_PROJECT- Project ID of the Google Cloud project for the attestor.
To set the
projectattribute:- provide the argument
--attestoron the command line with a fullyspecified name; - provide the argument
--attestor-projecton the command line; - provide the argument
--projecton the command line; - set the property
core/project.
- provide the argument
- Note resource - The Container Analysis Note which will be used to host thecreated attestation. In order to successfully attach the attestation, the activegcloud account (core/account) must have the
- GCLOUD WIDE FLAGS
- These flags are available to all commands:
--access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.Run
$gcloud helpfor details. - NOTES
- This command is currently in alpha and might change without notice. If thiscommand fails with API permission errors despite specifying the correct project,you might be trying to access an API with an invitation-only early accessallowlist. This variant is also available:
gcloudbetacontainerbinauthzattestationssign-and-create
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-01-21 UTC.