Console
    Start free

    Confidential Space attestation token claims

    Top-level claims

    The following table describes the top-level claims in the attestation token. These items are compliant with the OpenID Connect 1.0 specification .

    Read more about attestation tokens

    Key
    Type
    Description
    Header
    x5c
    String
    Only present in PKI tokens. The certificate chain to validate PKI tokens against. You can download the root certificate from the PKI token validation endpoint .
    JSON data payload
    attester_tcb
    Array of strings

    One or more TCB (trusted computing base) components. This claim is to specify the source of attestation evidence.

    For the hwmodel claim "GCP_INTEL_TDX" on Confidential Space, the value is set to ["INTEL"] , indicating that the attestation root of trust originates from Intel-specific hardware technology.

    aud
    String

    The audience. For the default token used with a workload identity pool, the audience is https://sts.googleapis.com . This token is fetched every hour by the launcher in the Confidential VM instance.

    For tokens with custom audiences, the audience is echoed from the audience in the token request. The maximum length is 512 bytes.

    dbgstat
    String
    The debug status for the Confidential Space image. In production images, the value is disabled-since-boot . In debug images, the value is enabled .
    eat_nonce
    String, or array of strings
    One or more nonces for the attestation token. The values are echoed from the token options sent in the custom token request. Each nonce must be between 8 and 88 bytes inclusive. A maximum of six nonces are allowed.
    exp
    Int, Unix timestamp
    The expiration time on or after which the token must not be accepted for processing. The value is a JSON number that represents the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the expiry time.
    google_service_accounts
    Array of strings
    The validated service accounts that are running the Confidential Space workload.
    hwmodel
    Enumeration

    The unique identifier for the hardware token. Must be one of the following values:

    • GCP_AMD_SEV
    • GCP_AMD_SEV_ES
    • GCP_SHIELDED_VM
    • GCP_INTEL_TDX
    https://aws.amazon.com/tags
    Object
    See AWS principal tag claims .
    iat
    Int, Unix timestamp
    The time when the JWT was issued. The value is a JSON number that represents the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the issue time.
    iss
    String

    The issuer of the token. The URIs for the valid issuers are as follows:

    • Google Cloud Attestation: https://confidentialcomputing.googleapis.com
    • Intel Trust Authority: https://portal.trustauthority.intel.com
    nbf
    Int, Unix timestamp
    The time after which the JWT is allowed to be processed. The value is a JSON number that represents the number of seconds from 1970-01-01T0:0:0Z as measured in UTC.
    oemid
    Uint64
    The value changes depending on the attestation service. For Google Cloud Attestation, it's Google's Private Enterprise Number (PEN) , 11129 .
    secboot
    Boolean
    Whether Secure Boot is enabled, which makes sure that the firmware and operating system are authenticated during the VM boot process. This value is always true .
    sub
    String
    The subject, which is the fully qualified virtual machine ID for the Confidential VM. For example, https://www.googleapis.com/compute/v1/projects/ PROJECT_ID /zones/ ZONE /instances/ INSTANCE_ID . This format is known as the instance's selfLink .
    submods
    Object
    An object containing various claims. See Submods claims .
    tdx
    Array of objects
    An array of various claims. See Intel TDX claims .
    swname
    String

    The name of the approved operating system for the VM.

    Values are CONFIDENTIAL_SPACE or GCE . The CONFIDENTIAL_SPACE value is for hardened and debug Confidential Space images that passed all validation.

    swversion
    Array of strings

    The version of the operating system. The value is an array of strings that contains only one value.

    The version follows the format YYYYMM## , where ## is a counter for the number of images released before the image being used in the same month.

    AWS principal tag claims

    The following table describes the AWS_PrincipalTag claims in the attestation token. These claims are placed in the https://aws.amazon.com/tags claims, in the principal_tags object in the attestation token. To learn about the https://aws.amazon.com/tags claim structure, see AWS principal tag claims .

    Key Type Description
    confidential_space.support_attributes
    		Array of strings

    Derivative claim of support attributes. This is a concatenated string representation of the original claims.

    For example, if the original claims are Latest , Stable , and Usable , this attribute contains LATEST=STABLE=USABLE . If the original claim is only Usable , this attribute contains USABLE .
    container.image_digest
    		Array of strings

    See Workload container claims .

    Container image signatures and digests don't appear together in a single token. If you're using container.image_digest in your AWS policies, you must remove any references to container.signatures.key_ids .
    container.signatures.key_id
    		Array of strings

    A concatenated list of container image signature key IDs. This field represents multiple signature key IDs joined into a single string in the array.

    For example, if you have key IDs aKey1 , zKey2 , and bKey3 , this claim contains the value aKey1=bKey3=zKey2 .

    Container image signatures and digests don't appear together in a single token. If you are using container.signatures.key_ids in your AWS policies, you must remove any references to container.image_digest .

    For more information about container image signature claims, see AWS policies with container image signature claims .
    gce.project_id
    		Array of strings See Compute Engine claims .
    gce.zone
    		Array of strings See Compute Engine claims .

    Intel TDX claims

    The following table describes the tdx claims in the attestation token.

    Key Type Description
    gcp_attester_tcb_status
    		String

    A string value that represents the TCB level status of the Google Cloud platform being evaluated. For more information about tcbStatus , see Intel's Provisioning Certification Service API documentation .

    This claim indicates that the TDX TCB version was up to date with Intel's reference values when Google began its firmware rollout. However, it doesn't guarantee that the Google fleet remains up to date with Intel's real-time TCB reference values.
    gcp_attester_tcb_date
    		String The TCB date for the attesting Google Cloud platform. The time value is UTC in ISO 8601 format (YYYY-MM-DDThh:mm:ssZ) .

    Submods claims

    The following table describes the submods claims in the attestation token.

    Key Type Description
    confidential_space.support_attributes
    		Array of strings The array can contain the values EXPERIMENTAL , USABLE , STABLE , and LATEST . For more information, see Confidential Space image lifecycle .
    confidential_space.monitoring_enabled
    		Object Shows what kind of system monitoring is enabled. The value can be {"memory":false} or {"memory":true} .
    container
    		Object See Workload container claims .
    gce
    		Object See Compute Engine claims .
    nvidia_gpu
    		Object See NVIDIA GPU claims .

    Compute Engine claims

    The following table describes the gce claims in the attestation token.

    Key Type Description
    instance_id
    		String The VM instance ID.
    instance_name
    		String The VM instance name.
    project_id
    		String The project ID for the project that the VM is running in.
    project_number
    		String The project number for the project that the VM is running in.
    zone
    		String The Compute Engine zone where the Confidential VM instance is running.

    NVIDIA GPU claims

    The following table describes the nvidia_gpu claims in the attestation token.

    Key
    Type
    Description
    cc_feature
    Enumeration

    The Confidential Computing supported by an NVIDIA GPU. Only single GPU passthrough (SPT) mode is supported in Confidential Space, so the value is always SPT .

    For more information about NVIDIA Confidential Computing support, see NVIDIA Trusted Computing Solutions (PDF) .

    cc_mode
    Enumeration

    The Confidential Computing status of the NVIDIA GPU. This claim attests to the GPU driver only, not the entire GPU device.

    The value can be one of the following:

    • OFF : none of the NVIDIA Confidential Computing features are active.
    • ON : the NVIDIA H100 hardware, firmware, and software have fully activated the confidential computing features.
    • DEVTOOLS : the GPU is in a partial confidential computing mode that matches the workflows of ON mode, but disables security protections.
    gpus
    Array of objects

    See GPU hardware and software claims .

    GPU hardware and software claims

    Key Type Description
    driver_version
    		String

    The NVIDIA driver version running on the Confidential VM. For example, 590.48.01 .
    hwmodel
    		Enumeration

    The NV_GPU architecture. Only NVIDIA's H100 is supported, so the value is always GCP_NVIDIA_H100 .
    l4_serial_number
    		Hex string

    The serial number of the fourth-level NVIDIA GPU attestation certificate chain.
    ueid
    		Hex string

    The universal entity identifier according to RFC 9711 . This is a unique device identifier for an attested NVIDIA GPU device.
    vbios_version
    		String

    The attested NVIDIA GPU VBIOS version. For example, 96.00.CF.00.01 .

    Workload container claims

    The following table describes the container claims in the attestation token. For more information about these claims, see Attestation assertions .

    Key Type Description
    args
    		Array of strings The full argv the container is invoked with. This claim includes the container's entrypoint path and any additional command-line arguments.
    cmd_override
    		Array of strings The CMD commands and parameters used in the workload image.
    env
    		Object The environment variables and their values that have been explicitly passed to the container.
    env_override
    		Object The overwritten environment variables in the container.
    image_digest
    		String The image digest of the workload container.
    image_id
    		String The image ID of the workload container.
    image_reference
    		String The location of the workload container running in Confidential Space.
    image_signatures
    		Array of objects See Container image signature claims .
    restart_policy
    		Enumeration The restart policy of the container launcher when the workload stops. Valid values are Always , OnFailure , and Never . Default is Never .

    Container image signature claims

    The following table describes the image_signatures claims in the attestation token.

    Key
    Type
    Description
    key_id
    String

    The hexadecimal fingerprint of the public key. To get the fingerprint, you can run the following command:

    openssl pkey -pubin -in public_key.pem 
-outform DER | openssl sha256

    Where public_key.pem is your public key in PEM format.

    signature
    String
    The base64-encoded signature for a payload that's associated with the signed container and that follows the Simple Signing format .
    signature_algorithm
    Enumeration

    The algorithm used to sign the key. One of the following:

    • RSASSA_PSS_SHA256 (RSASSA-PSS with a SHA-256 digest)
    • RSASSA_PKCS1V15_SHA256 (RSASSA-PKCS1 v1_5 with a SHA-256 digest)
    • ECDSA_P256_SHA256 (ECDSA on the P-256 Curve with a SHA-256 digest)

    What's next
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: