HEX
Server: Apache/2.4.65 (Ubuntu)
System: Linux ielts-store-v2 6.8.0-1036-gcp #38~22.04.1-Ubuntu SMP Thu Aug 14 01:19:18 UTC 2025 x86_64
User: root (0)
PHP: 7.2.34-54+ubuntu20.04.1+deb.sury.org+1
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
$ pwd: /snap/google-cloud-cli/396/help/man/man1/
Upload Files
File: //snap/google-cloud-cli/396/help/man/man1/gcloud_alpha_container_binauthz_attestations_create.1
.TH "GCLOUD_ALPHA_CONTAINER_BINAUTHZ_ATTESTATIONS_CREATE" 1



.SH "NAME"
.HP
gcloud alpha container binauthz attestations create \- create a Binary Authorization attestation



.SH "SYNOPSIS"
.HP
\f5gcloud alpha container binauthz attestations create\fR \fB\-\-artifact\-url\fR=\fIARTIFACT_URL\fR \fB\-\-public\-key\-id\fR=\fIPUBLIC_KEY_ID\fR \fB\-\-signature\-file\fR=\fISIGNATURE_FILE\fR [\fB\-\-payload\-file\fR=\fIPAYLOAD_FILE\fR] [[\fB\-\-note\fR=\fINOTE\fR\ :\ \fB\-\-note\-project\fR=\fINOTE_PROJECT\fR]\ |\ \fB\-\-validate\fR\ [\fB\-\-attestor\fR=\fIATTESTOR\fR\ :\ \fB\-\-attestor\-project\fR=\fIATTESTOR_PROJECT\fR]] [\fIGCLOUD_WIDE_FLAG\ ...\fR]



.SH "DESCRIPTION"

\fB(ALPHA)\fR This command creates a Binary Authorization attestation for your
project. The attestation is created for the specified artifact (e.g. a gcr.io
container URL), associate with the specified attestor, and stored under the
specified project.



.SH "EXAMPLES"

To create an attestation in the project "my_proj" as the attestor with resource
path "projects/foo/attestors/bar", run:

.RS 2m
$ gcloud alpha container binauthz attestations create \e
  \-\-project=my_proj \e
  \-\-artifact\-url=gcr.io/example\-project/\e
example\-image@sha256:abcd \-\-attestor=projects/foo/attestors/bar \e
    \-\-signature\-file=signed_artifact_attestation.pgp.sig \e
    \-\-public\-key\-id=AAAA0000000000000000FFFFFFFFFFFFFFFFFFFF
.RE

To create an attestation in the project "my_proj" in note
"projects/foo/notes/bar", run:

.RS 2m
$ gcloud alpha container binauthz attestations create \e
  \-\-project=my_proj \e
  \-\-artifact\-url='gcr.io/example\-project/example\-image@sha256:abcd\e
' \-\-note=projects/foo/notes/bar \e
    \-\-signature\-file=signed_artifact_attestation.pgp.sig \e
    \-\-public\-key\-id=AAAA0000000000000000FFFFFFFFFFFFFFFFFFFF
.RE



.SH "REQUIRED FLAGS"

.RS 2m
.TP 2m
\fB\-\-artifact\-url\fR=\fIARTIFACT_URL\fR

Container URL. May be in the \f5gcr.io/repository/image\fR format, or may
optionally contain the \f5http\fR or \f5https\fR scheme

.TP 2m
\fB\-\-public\-key\-id\fR=\fIPUBLIC_KEY_ID\fR

The ID of the public key that will be used to verify the signature of the
created Attestation. This ID must match the one found on the Attestor
resource(s) which will verify this Attestation.

For PKIX keys, this will be the URI\-formatted \f5id\fR field of the associated
Attestor public key.

For PGP keys, this must be the version 4, full 160\-bit fingerprint, expressed
as a 40 character hexadecimal string. See
https://tools.ietf.org/html/rfc4880#section\-12.2 for details.

.TP 2m
\fB\-\-signature\-file\fR=\fISIGNATURE_FILE\fR

Path to file containing the signature to store, or \f5\-\fR to read signature
from stdin.


.RE
.sp

.SH "OPTIONAL FLAGS"

.RS 2m
.TP 2m
\fB\-\-payload\-file\fR=\fIPAYLOAD_FILE\fR

Path to file containing the payload over which the signature was calculated.

This defaults to the output of the standard payload command:

.RS 2m
$ gcloud alpha container binauthz create\-signature\-payload
.RE

NOTE: If you sign a payload with e.g. different whitespace or formatting, you
must explicitly provide the payload content via this flag.

.TP 2m

At most one of these can be specified:


.RS 2m
.TP 2m

Note resource \- The Container Analysis Note which will be used to host the
created attestation. In order to successfully attach the attestation, the active
gcloud account (core/account) must have the
\f5containeranalysis.notes.attachOccurrence\fR permission for the Note (usually
via the \f5containeranalysis.notes.attacher\fR role). The arguments in this
group can be used to specify the attributes of this resource.


.RS 2m
.TP 2m
\fB\-\-note\fR=\fINOTE\fR

ID of the note or fully qualified identifier for the note.

To set the \f5note\fR attribute:
.RS 2m
.IP "\(em" 2m
provide the argument \f5\-\-note\fR on the command line.
.RE
.sp

This flag argument must be specified if any of the other arguments in this group
are specified.

.TP 2m
\fB\-\-note\-project\fR=\fINOTE_PROJECT\fR

The Container Analysis project for the note.

To set the \f5project\fR attribute:
.RS 2m
.IP "\(em" 2m
provide the argument \f5\-\-note\fR on the command line with a fully specified
name;
.IP "\(em" 2m
provide the argument \f5\-\-note\-project\fR on the command line.
.RE
.sp

.RE
.sp
.TP 2m
\fB\-\-validate\fR

Whether to validate that the Attestation can be verified by the provided
Attestor.

.TP 2m

Attestor resource \- The Attestor whose Container Analysis Note will be used to
host the created attestation. In order to successfully attach the attestation,
the active gcloud account (core/account) must be able to read this attestor and
must have the \f5containeranalysis.notes.attachOccurrence\fR permission for the
Attestor's underlying Note resource (usually via the
\f5containeranalysis.notes.attacher\fR role). The arguments in this group can be
used to specify the attributes of this resource.


.RS 2m
.TP 2m
\fB\-\-attestor\fR=\fIATTESTOR\fR

ID of the attestor or fully qualified identifier for the attestor.

To set the \f5name\fR attribute:
.RS 2m
.IP "\(em" 2m
provide the argument \f5\-\-attestor\fR on the command line.
.RE
.sp

This flag argument must be specified if any of the other arguments in this group
are specified.

.TP 2m
\fB\-\-attestor\-project\fR=\fIATTESTOR_PROJECT\fR

Project ID of the Google Cloud project for the attestor.

To set the \f5project\fR attribute:
.RS 2m
.IP "\(em" 2m
provide the argument \f5\-\-attestor\fR on the command line with a fully
specified name;
.IP "\(em" 2m
provide the argument \f5\-\-attestor\-project\fR on the command line;
.IP "\(em" 2m
provide the argument \f5\-\-project\fR on the command line;
.IP "\(em" 2m
set the property \f5core/project\fR.
.RE
.sp


.RE
.RE
.RE
.sp

.SH "GCLOUD WIDE FLAGS"

These flags are available to all commands: \-\-access\-token\-file, \-\-account,
\-\-billing\-project, \-\-configuration, \-\-flags\-file, \-\-flatten,
\-\-format, \-\-help, \-\-impersonate\-service\-account, \-\-log\-http,
\-\-project, \-\-quiet, \-\-trace\-token, \-\-user\-output\-enabled,
\-\-verbosity.

Run \fB$ gcloud help\fR for details.



.SH "NOTES"

This command is currently in alpha and might change without notice. If this
command fails with API permission errors despite specifying the correct project,
you might be trying to access an API with an invitation\-only early access
allowlist. These variants are also available:

.RS 2m
$ gcloud container binauthz attestations create
.RE

.RS 2m
$ gcloud beta container binauthz attestations create
.RE
@ Telegram