- NAME
-
- gcloud container binauthz - manage attestations for Binary Authorization on Google Cloud Platform
- SYNOPSIS
-
-
gcloud container binauthzGROUP|COMMAND[GCLOUD_WIDE_FLAG …]
-
- DESCRIPTION
- Binary Authorization is a feature which allows binaries to run on Google Cloud Platform only if they are appropriately attested. Binary Authorization is configured by creating a policy.
- EXAMPLES
- This example assumes that you have created a keypair using gpg, usually by
running
gpg --gen-key …, withName-Emailset toattesting_user@example.comfor your attestor.First, some convenience variables for brevity:
ATTESTING_USER = "attesting_user@example.com" DIGEST = "000000000000000000000000000000000000000000000000000000000000abcd" ARTIFACT_URL = "gcr.io/example-project/example-image@sha256: ${ DIGEST } " ATTESTOR_NAME = "projects/example-project/attestors/canary"
Export your key's fingerprint (note this may differ based on version and implementations of gpg):
gpg \ --with-colons \ --with-fingerprint \ --force-v4-certs \ --list-keys \ " ${ ATTESTING_USER } " | grep fpr | cut --delimiter = ':' --fields 10
This should produce a 40 character, hexidecimal encoded string. See https://tools.ietf.org/html/rfc4880#section-12.2 for more information on key fingerprints.
Create your attestation payload:
gcloud container binauthz create-signature-payload \ --artifact-url = " ${ ARTIFACT_URL } " \ > example_payload.txt
Create a signature from your attestation payload:
gpg \ --local-user " ${ ATTESTING_USER } " \ --armor \ --clearsign \ --output example_signature.pgp \ example_payload.txt
Upload the attestation:
gcloud container binauthz attestations create \ --public-key-id = ${ KEY_FINGERPRINT } \ --signature-file = example_signature.pgp \ --artifact-url = " ${ ARTIFACT_URL } " \ --attestor = ${ ATTESTOR_NAME }
List the attestation by artifact URL.
--formatcan be passed to output the attestations as json or another supported format:gcloud container binauthz attestations list \ --artifact-url = " ${ ARTIFACT_URL } " \ --format = yaml --- - | -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1 … SNIP … -----END PGP PUBLIC KEY BLOCK----- - | -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 … SNIP … -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 … SNIP … -----END PGP SIGNATURE-----
List all artifact URLs on the project for which Container Analysis Occurrences exist. This list includes the list of all URLs with BinAuthz attestations:
gcloud container binauthz attestations list --- https://gcr.io/example-project/example-image@sha256:000000000000000000000000000000000000000000000000000000000000abcd …
Listing also works for kind=ATTESTATION_AUTHORITY attestations, just pass the attestor:
gcloud container binauthz attestations list \ --artifact-url = " ${ ARTIFACT_URL } " \ --attestor = ${ ATTESTOR_NAME } \ --format = yaml …
- GCLOUD WIDE FLAGS
- These flags are available to all commands:
--help.Run
$ gcloud helpfor details. - GROUPS
-
GROUP-
attestations - Create and manage Google Binary Authorization attestations.
-
attestors - Create and manage Google Binary Authorization Attestors.
-
policy - Create and manage Google Binary Authorization policies.
-
- COMMANDS
-
COMMAND-
create-signature-payload - Create a JSON container image signature object.
-
- NOTES
- These variants are also available:
gcloud alpha container binauthzgcloud beta container binauthz
gcloud container binauthz
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License , and code samples are licensed under the Apache 2.0 License . For details, see the Google Developers Site Policies . Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-05-27 UTC.
