gcloud container binauthz attestations create

NAME
gcloud container binauthz attestations create - create a Binary Authorization attestation
SYNOPSIS
gcloud container binauthz attestations create--artifact-url=ARTIFACT_URL--public-key-id=PUBLIC_KEY_ID--signature-file=SIGNATURE_FILE[--payload-file=PAYLOAD_FILE][[--note=NOTE :--note-project=NOTE_PROJECT]    |--validate [--attestor=ATTESTOR :--attestor-project=ATTESTOR_PROJECT]][GCLOUD_WIDE_FLAG]
DESCRIPTION
This command creates a Binary Authorization attestation for your project. Theattestation is created for the specified artifact (e.g. a gcr.io container URL),associate with the specified attestor, and stored under the specified project.
EXAMPLES
To create an attestation in the project "my_proj" as the attestor with resourcepath "projects/foo/attestors/bar", run:
gcloudcontainerbinauthzattestationscreate--project=my_proj--artifact-url='gcr.io/example-project/example-image@sha256:abcd'--attestor=projects/foo/attestors/bar--signature-file=signed_artifact_attestation.pgp.sig--public-key-id=AAAA0000000000000000FFFFFFFFFFFFFFFFFFFF

To create an attestation in the project "my_proj" in note"projects/foo/notes/bar", run:

gcloudcontainerbinauthzattestationscreate--project=my_proj--artifact-url='gcr.io/example-project/example-image@sha256:abcd'--note=projects/foo/notes/bar--signature-file=signed_artifact_attestation.pgp.sig--public-key-id=AAAA0000000000000000FFFFFFFFFFFFFFFFFFFF
REQUIRED FLAGS
--artifact-url=ARTIFACT_URL
Container URL. May be in thegcr.io/repository/image format, or mayoptionally contain thehttp orhttps scheme
--public-key-id=PUBLIC_KEY_ID
The ID of the public key that will be used to verify the signature of thecreated Attestation. This ID must match the one found on the Attestorresource(s) which will verify this Attestation.

For PGP keys, this must be the version 4, full 160-bit fingerprint, expressed asa 40 character hexadecimal string. Seehttps://tools.ietf.org/html/rfc4880#section-12.2for details.

--signature-file=SIGNATURE_FILE
Path to file containing the signature to store, or- to readsignature from stdin.
OPTIONAL FLAGS
--payload-file=PAYLOAD_FILE
Path to file containing the payload over which the signature was calculated.

This defaults to the output of the standard payload command:

gcloudcontainerbinauthzcreate-signature-payload

NOTE: If you sign a payload with e.g. different whitespace or formatting, youmust explicitly provide the payload content via this flag.

At most one of these can be specified:
Note resource - The Container Analysis Note which will be used to host thecreated attestation. In order to successfully attach the attestation, the activegcloud account (core/account) must have thecontaineranalysis.notes.attachOccurrence permission for the Note(usually via thecontaineranalysis.notes.attacher role). Thearguments in this group can be used to specify the attributes of this resource.
--note=NOTE
ID of the note or fully qualified identifier for the note.

To set thenote attribute:

  • provide the argument--note on the command line.

This flag argument must be specified if any of the other arguments in this groupare specified.

--note-project=NOTE_PROJECT
The Container Analysis project for the note.

To set theproject attribute:

  • provide the argument--note on the command line with a fullyspecified name;
  • provide the argument--note-project on the command line.
--validate
Whether to validate that the Attestation can be verified by the providedAttestor.
Attestor resource - The Attestor whose Container Analysis Note will be used tohost the created attestation. In order to successfully attach the attestation,the active gcloud account (core/account) must be able to read this attestor andmust have thecontaineranalysis.notes.attachOccurrence permissionfor the Attestor's underlying Note resource (usually via thecontaineranalysis.notes.attacher role). The arguments in this groupcan be used to specify the attributes of this resource.
--attestor=ATTESTOR
ID of the attestor or fully qualified identifier for the attestor.

To set thename attribute:

  • provide the argument--attestor on the command line.

This flag argument must be specified if any of the other arguments in this groupare specified.

--attestor-project=ATTESTOR_PROJECT
Project ID of the Google Cloud project for the attestor.

To set theproject attribute:

  • provide the argument--attestor on the command line with a fullyspecified name;
  • provide the argument--attestor-project on the command line;
  • provide the argument--project on the command line;
  • set the propertycore/project.
GCLOUD WIDE FLAGS
These flags are available to all commands:--access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.

Run$gcloud help for details.

NOTES
These variants are also available:
gcloudalphacontainerbinauthzattestationscreate
gcloudbetacontainerbinauthzattestationscreate

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-05-07 UTC.