1. Packages
  2. Google Cloud (GCP) Classic
  3. API Docs
  4. binaryauthorization
  5. Attestor
Google Cloud Classic v8.9.3 published on Monday, Nov 18, 2024 by Pulumi

gcp.binaryauthorization.Attestor

Explore with Pulumi AI

gcp logo
Google Cloud Classic v8.9.3 published on Monday, Nov 18, 2024 by Pulumi

    An attestor that attests to container image artifacts.

    To get more information about Attestor, see:

    Example Usage

    Binary Authorization Attestor Basic

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const note = new gcp.containeranalysis.Note("note", {
        name: "test-attestor-note",
        attestationAuthority: {
            hint: {
                humanReadableName: "Attestor Note",
            },
        },
    });
    const attestor = new gcp.binaryauthorization.Attestor("attestor", {
        name: "test-attestor",
        attestationAuthorityNote: {
            noteReference: note.name,
            publicKeys: [{
                asciiArmoredPgpPublicKey: `mQENBFtP0doBCADF+joTiXWKVuP8kJt3fgpBSjT9h8ezMfKA4aXZctYLx5wslWQl
    bB7Iu2ezkECNzoEeU7WxUe8a61pMCh9cisS9H5mB2K2uM4Jnf8tgFeXn3akJDVo0
    oR1IC+Dp9mXbRSK3MAvKkOwWlG99sx3uEdvmeBRHBOO+grchLx24EThXFOyP9Fk6
    V39j6xMjw4aggLD15B4V0v9JqBDdJiIYFzszZDL6pJwZrzcP0z8JO4rTZd+f64bD
    Mpj52j/pQfA8lZHOaAgb1OrthLdMrBAjoDjArV4Ek7vSbrcgYWcI6BhsQrFoxKdX
    83TZKai55ZCfCLIskwUIzA1NLVwyzCS+fSN/ABEBAAG0KCJUZXN0IEF0dGVzdG9y
    IiA8ZGFuYWhvZmZtYW5AZ29vZ2xlLmNvbT6JAU4EEwEIADgWIQRfWkqHt6hpTA1L
    uY060eeM4dc66AUCW0/R2gIbLwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRA6
    0eeM4dc66HdpCAC4ot3b0OyxPb0Ip+WT2U0PbpTBPJklesuwpIrM4Lh0N+1nVRLC
    51WSmVbM8BiAFhLbN9LpdHhds1kUrHF7+wWAjdR8sqAj9otc6HGRM/3qfa2qgh+U
    WTEk/3us/rYSi7T7TkMuutRMIa1IkR13uKiW56csEMnbOQpn9rDqwIr5R8nlZP5h
    MAU9vdm1DIv567meMqTaVZgR3w7bck2P49AO8lO5ERFpVkErtu/98y+rUy9d789l
    +OPuS1NGnxI1YKsNaWJF4uJVuvQuZ1twrhCbGNtVorO2U12+cEq+YtUxj7kmdOC1
    qoIRW6y0+UlAc+MbqfL0ziHDOAmcqz1GnROg
    =6Bvm
    `,
            }],
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    note = gcp.containeranalysis.Note("note",
        name="test-attestor-note",
        attestation_authority={
            "hint": {
                "human_readable_name": "Attestor Note",
            },
        })
    attestor = gcp.binaryauthorization.Attestor("attestor",
        name="test-attestor",
        attestation_authority_note={
            "note_reference": note.name,
            "public_keys": [{
                "ascii_armored_pgp_public_key": """mQENBFtP0doBCADF+joTiXWKVuP8kJt3fgpBSjT9h8ezMfKA4aXZctYLx5wslWQl
    bB7Iu2ezkECNzoEeU7WxUe8a61pMCh9cisS9H5mB2K2uM4Jnf8tgFeXn3akJDVo0
    oR1IC+Dp9mXbRSK3MAvKkOwWlG99sx3uEdvmeBRHBOO+grchLx24EThXFOyP9Fk6
    V39j6xMjw4aggLD15B4V0v9JqBDdJiIYFzszZDL6pJwZrzcP0z8JO4rTZd+f64bD
    Mpj52j/pQfA8lZHOaAgb1OrthLdMrBAjoDjArV4Ek7vSbrcgYWcI6BhsQrFoxKdX
    83TZKai55ZCfCLIskwUIzA1NLVwyzCS+fSN/ABEBAAG0KCJUZXN0IEF0dGVzdG9y
    IiA8ZGFuYWhvZmZtYW5AZ29vZ2xlLmNvbT6JAU4EEwEIADgWIQRfWkqHt6hpTA1L
    uY060eeM4dc66AUCW0/R2gIbLwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRA6
    0eeM4dc66HdpCAC4ot3b0OyxPb0Ip+WT2U0PbpTBPJklesuwpIrM4Lh0N+1nVRLC
    51WSmVbM8BiAFhLbN9LpdHhds1kUrHF7+wWAjdR8sqAj9otc6HGRM/3qfa2qgh+U
    WTEk/3us/rYSi7T7TkMuutRMIa1IkR13uKiW56csEMnbOQpn9rDqwIr5R8nlZP5h
    MAU9vdm1DIv567meMqTaVZgR3w7bck2P49AO8lO5ERFpVkErtu/98y+rUy9d789l
    +OPuS1NGnxI1YKsNaWJF4uJVuvQuZ1twrhCbGNtVorO2U12+cEq+YtUxj7kmdOC1
    qoIRW6y0+UlAc+MbqfL0ziHDOAmcqz1GnROg
    =6Bvm
    """,
            }],
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/binaryauthorization"
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/containeranalysis"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		note, err := containeranalysis.NewNote(ctx, "note", &containeranalysis.NoteArgs{
    			Name: pulumi.String("test-attestor-note"),
    			AttestationAuthority: &containeranalysis.NoteAttestationAuthorityArgs{
    				Hint: &containeranalysis.NoteAttestationAuthorityHintArgs{
    					HumanReadableName: pulumi.String("Attestor Note"),
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		_, err = binaryauthorization.NewAttestor(ctx, "attestor", &binaryauthorization.AttestorArgs{
    			Name: pulumi.String("test-attestor"),
    			AttestationAuthorityNote: &binaryauthorization.AttestorAttestationAuthorityNoteArgs{
    				NoteReference: note.Name,
    				PublicKeys: binaryauthorization.AttestorAttestationAuthorityNotePublicKeyArray{
    					&binaryauthorization.AttestorAttestationAuthorityNotePublicKeyArgs{
    						AsciiArmoredPgpPublicKey: pulumi.String(`mQENBFtP0doBCADF+joTiXWKVuP8kJt3fgpBSjT9h8ezMfKA4aXZctYLx5wslWQl
    bB7Iu2ezkECNzoEeU7WxUe8a61pMCh9cisS9H5mB2K2uM4Jnf8tgFeXn3akJDVo0
    oR1IC+Dp9mXbRSK3MAvKkOwWlG99sx3uEdvmeBRHBOO+grchLx24EThXFOyP9Fk6
    V39j6xMjw4aggLD15B4V0v9JqBDdJiIYFzszZDL6pJwZrzcP0z8JO4rTZd+f64bD
    Mpj52j/pQfA8lZHOaAgb1OrthLdMrBAjoDjArV4Ek7vSbrcgYWcI6BhsQrFoxKdX
    83TZKai55ZCfCLIskwUIzA1NLVwyzCS+fSN/ABEBAAG0KCJUZXN0IEF0dGVzdG9y
    IiA8ZGFuYWhvZmZtYW5AZ29vZ2xlLmNvbT6JAU4EEwEIADgWIQRfWkqHt6hpTA1L
    uY060eeM4dc66AUCW0/R2gIbLwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRA6
    0eeM4dc66HdpCAC4ot3b0OyxPb0Ip+WT2U0PbpTBPJklesuwpIrM4Lh0N+1nVRLC
    51WSmVbM8BiAFhLbN9LpdHhds1kUrHF7+wWAjdR8sqAj9otc6HGRM/3qfa2qgh+U
    WTEk/3us/rYSi7T7TkMuutRMIa1IkR13uKiW56csEMnbOQpn9rDqwIr5R8nlZP5h
    MAU9vdm1DIv567meMqTaVZgR3w7bck2P49AO8lO5ERFpVkErtu/98y+rUy9d789l
    +OPuS1NGnxI1YKsNaWJF4uJVuvQuZ1twrhCbGNtVorO2U12+cEq+YtUxj7kmdOC1
    qoIRW6y0+UlAc+MbqfL0ziHDOAmcqz1GnROg
    =6Bvm
    `),
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var note = new Gcp.ContainerAnalysis.Note("note", new()
        {
            Name = "test-attestor-note",
            AttestationAuthority = new Gcp.ContainerAnalysis.Inputs.NoteAttestationAuthorityArgs
            {
                Hint = new Gcp.ContainerAnalysis.Inputs.NoteAttestationAuthorityHintArgs
                {
                    HumanReadableName = "Attestor Note",
                },
            },
        });
    
        var attestor = new Gcp.BinaryAuthorization.Attestor("attestor", new()
        {
            Name = "test-attestor",
            AttestationAuthorityNote = new Gcp.BinaryAuthorization.Inputs.AttestorAttestationAuthorityNoteArgs
            {
                NoteReference = note.Name,
                PublicKeys = new[]
                {
                    new Gcp.BinaryAuthorization.Inputs.AttestorAttestationAuthorityNotePublicKeyArgs
                    {
                        AsciiArmoredPgpPublicKey = @"mQENBFtP0doBCADF+joTiXWKVuP8kJt3fgpBSjT9h8ezMfKA4aXZctYLx5wslWQl
    bB7Iu2ezkECNzoEeU7WxUe8a61pMCh9cisS9H5mB2K2uM4Jnf8tgFeXn3akJDVo0
    oR1IC+Dp9mXbRSK3MAvKkOwWlG99sx3uEdvmeBRHBOO+grchLx24EThXFOyP9Fk6
    V39j6xMjw4aggLD15B4V0v9JqBDdJiIYFzszZDL6pJwZrzcP0z8JO4rTZd+f64bD
    Mpj52j/pQfA8lZHOaAgb1OrthLdMrBAjoDjArV4Ek7vSbrcgYWcI6BhsQrFoxKdX
    83TZKai55ZCfCLIskwUIzA1NLVwyzCS+fSN/ABEBAAG0KCJUZXN0IEF0dGVzdG9y
    IiA8ZGFuYWhvZmZtYW5AZ29vZ2xlLmNvbT6JAU4EEwEIADgWIQRfWkqHt6hpTA1L
    uY060eeM4dc66AUCW0/R2gIbLwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRA6
    0eeM4dc66HdpCAC4ot3b0OyxPb0Ip+WT2U0PbpTBPJklesuwpIrM4Lh0N+1nVRLC
    51WSmVbM8BiAFhLbN9LpdHhds1kUrHF7+wWAjdR8sqAj9otc6HGRM/3qfa2qgh+U
    WTEk/3us/rYSi7T7TkMuutRMIa1IkR13uKiW56csEMnbOQpn9rDqwIr5R8nlZP5h
    MAU9vdm1DIv567meMqTaVZgR3w7bck2P49AO8lO5ERFpVkErtu/98y+rUy9d789l
    +OPuS1NGnxI1YKsNaWJF4uJVuvQuZ1twrhCbGNtVorO2U12+cEq+YtUxj7kmdOC1
    qoIRW6y0+UlAc+MbqfL0ziHDOAmcqz1GnROg
    =6Bvm
    ",
                    },
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.containeranalysis.Note;
    import com.pulumi.gcp.containeranalysis.NoteArgs;
    import com.pulumi.gcp.containeranalysis.inputs.NoteAttestationAuthorityArgs;
    import com.pulumi.gcp.containeranalysis.inputs.NoteAttestationAuthorityHintArgs;
    import com.pulumi.gcp.binaryauthorization.Attestor;
    import com.pulumi.gcp.binaryauthorization.AttestorArgs;
    import com.pulumi.gcp.binaryauthorization.inputs.AttestorAttestationAuthorityNoteArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var note = new Note("note", NoteArgs.builder()
                .name("test-attestor-note")
                .attestationAuthority(NoteAttestationAuthorityArgs.builder()
                    .hint(NoteAttestationAuthorityHintArgs.builder()
                        .humanReadableName("Attestor Note")
                        .build())
                    .build())
                .build());
    
            var attestor = new Attestor("attestor", AttestorArgs.builder()
                .name("test-attestor")
                .attestationAuthorityNote(AttestorAttestationAuthorityNoteArgs.builder()
                    .noteReference(note.name())
                    .publicKeys(AttestorAttestationAuthorityNotePublicKeyArgs.builder()
                        .asciiArmoredPgpPublicKey("""
    mQENBFtP0doBCADF+joTiXWKVuP8kJt3fgpBSjT9h8ezMfKA4aXZctYLx5wslWQl
    bB7Iu2ezkECNzoEeU7WxUe8a61pMCh9cisS9H5mB2K2uM4Jnf8tgFeXn3akJDVo0
    oR1IC+Dp9mXbRSK3MAvKkOwWlG99sx3uEdvmeBRHBOO+grchLx24EThXFOyP9Fk6
    V39j6xMjw4aggLD15B4V0v9JqBDdJiIYFzszZDL6pJwZrzcP0z8JO4rTZd+f64bD
    Mpj52j/pQfA8lZHOaAgb1OrthLdMrBAjoDjArV4Ek7vSbrcgYWcI6BhsQrFoxKdX
    83TZKai55ZCfCLIskwUIzA1NLVwyzCS+fSN/ABEBAAG0KCJUZXN0IEF0dGVzdG9y
    IiA8ZGFuYWhvZmZtYW5AZ29vZ2xlLmNvbT6JAU4EEwEIADgWIQRfWkqHt6hpTA1L
    uY060eeM4dc66AUCW0/R2gIbLwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRA6
    0eeM4dc66HdpCAC4ot3b0OyxPb0Ip+WT2U0PbpTBPJklesuwpIrM4Lh0N+1nVRLC
    51WSmVbM8BiAFhLbN9LpdHhds1kUrHF7+wWAjdR8sqAj9otc6HGRM/3qfa2qgh+U
    WTEk/3us/rYSi7T7TkMuutRMIa1IkR13uKiW56csEMnbOQpn9rDqwIr5R8nlZP5h
    MAU9vdm1DIv567meMqTaVZgR3w7bck2P49AO8lO5ERFpVkErtu/98y+rUy9d789l
    +OPuS1NGnxI1YKsNaWJF4uJVuvQuZ1twrhCbGNtVorO2U12+cEq+YtUxj7kmdOC1
    qoIRW6y0+UlAc+MbqfL0ziHDOAmcqz1GnROg
    =6Bvm
                        """)
                        .build())
                    .build())
                .build());
    
        }
    }
    
    resources:
      attestor:
        type: gcp:binaryauthorization:Attestor
        properties:
          name: test-attestor
          attestationAuthorityNote:
            noteReference: ${note.name}
            publicKeys:
              - asciiArmoredPgpPublicKey: |
                  mQENBFtP0doBCADF+joTiXWKVuP8kJt3fgpBSjT9h8ezMfKA4aXZctYLx5wslWQl
                  bB7Iu2ezkECNzoEeU7WxUe8a61pMCh9cisS9H5mB2K2uM4Jnf8tgFeXn3akJDVo0
                  oR1IC+Dp9mXbRSK3MAvKkOwWlG99sx3uEdvmeBRHBOO+grchLx24EThXFOyP9Fk6
                  V39j6xMjw4aggLD15B4V0v9JqBDdJiIYFzszZDL6pJwZrzcP0z8JO4rTZd+f64bD
                  Mpj52j/pQfA8lZHOaAgb1OrthLdMrBAjoDjArV4Ek7vSbrcgYWcI6BhsQrFoxKdX
                  83TZKai55ZCfCLIskwUIzA1NLVwyzCS+fSN/ABEBAAG0KCJUZXN0IEF0dGVzdG9y
                  IiA8ZGFuYWhvZmZtYW5AZ29vZ2xlLmNvbT6JAU4EEwEIADgWIQRfWkqHt6hpTA1L
                  uY060eeM4dc66AUCW0/R2gIbLwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRA6
                  0eeM4dc66HdpCAC4ot3b0OyxPb0Ip+WT2U0PbpTBPJklesuwpIrM4Lh0N+1nVRLC
                  51WSmVbM8BiAFhLbN9LpdHhds1kUrHF7+wWAjdR8sqAj9otc6HGRM/3qfa2qgh+U
                  WTEk/3us/rYSi7T7TkMuutRMIa1IkR13uKiW56csEMnbOQpn9rDqwIr5R8nlZP5h
                  MAU9vdm1DIv567meMqTaVZgR3w7bck2P49AO8lO5ERFpVkErtu/98y+rUy9d789l
                  +OPuS1NGnxI1YKsNaWJF4uJVuvQuZ1twrhCbGNtVorO2U12+cEq+YtUxj7kmdOC1
                  qoIRW6y0+UlAc+MbqfL0ziHDOAmcqz1GnROg
                  =6Bvm              
      note:
        type: gcp:containeranalysis:Note
        properties:
          name: test-attestor-note
          attestationAuthority:
            hint:
              humanReadableName: Attestor Note
    

    Binary Authorization Attestor Kms

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const keyring = new gcp.kms.KeyRing("keyring", {
        name: "test-attestor-key-ring",
        location: "global",
    });
    const crypto_key = new gcp.kms.CryptoKey("crypto-key", {
        name: "test-attestor-key",
        keyRing: keyring.id,
        purpose: "ASYMMETRIC_SIGN",
        versionTemplate: {
            algorithm: "RSA_SIGN_PKCS1_4096_SHA512",
        },
    });
    const version = gcp.kms.getKMSCryptoKeyVersionOutput({
        cryptoKey: crypto_key.id,
    });
    const note = new gcp.containeranalysis.Note("note", {
        name: "test-attestor-note",
        attestationAuthority: {
            hint: {
                humanReadableName: "Attestor Note",
            },
        },
    });
    const attestor = new gcp.binaryauthorization.Attestor("attestor", {
        name: "test-attestor",
        attestationAuthorityNote: {
            noteReference: note.name,
            publicKeys: [{
                id: version.apply(version => version.id),
                pkixPublicKey: {
                    publicKeyPem: version.apply(version => version.publicKeys?.[0]?.pem),
                    signatureAlgorithm: version.apply(version => version.publicKeys?.[0]?.algorithm),
                },
            }],
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    keyring = gcp.kms.KeyRing("keyring",
        name="test-attestor-key-ring",
        location="global")
    crypto_key = gcp.kms.CryptoKey("crypto-key",
        name="test-attestor-key",
        key_ring=keyring.id,
        purpose="ASYMMETRIC_SIGN",
        version_template={
            "algorithm": "RSA_SIGN_PKCS1_4096_SHA512",
        })
    version = gcp.kms.get_kms_crypto_key_version_output(crypto_key=crypto_key.id)
    note = gcp.containeranalysis.Note("note",
        name="test-attestor-note",
        attestation_authority={
            "hint": {
                "human_readable_name": "Attestor Note",
            },
        })
    attestor = gcp.binaryauthorization.Attestor("attestor",
        name="test-attestor",
        attestation_authority_note={
            "note_reference": note.name,
            "public_keys": [{
                "id": version.id,
                "pkix_public_key": {
                    "public_key_pem": version.public_keys[0].pem,
                    "signature_algorithm": version.public_keys[0].algorithm,
                },
            }],
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/binaryauthorization"
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/containeranalysis"
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/kms"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		keyring, err := kms.NewKeyRing(ctx, "keyring", &kms.KeyRingArgs{
    			Name:     pulumi.String("test-attestor-key-ring"),
    			Location: pulumi.String("global"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = kms.NewCryptoKey(ctx, "crypto-key", &kms.CryptoKeyArgs{
    			Name:    pulumi.String("test-attestor-key"),
    			KeyRing: keyring.ID(),
    			Purpose: pulumi.String("ASYMMETRIC_SIGN"),
    			VersionTemplate: &kms.CryptoKeyVersionTemplateArgs{
    				Algorithm: pulumi.String("RSA_SIGN_PKCS1_4096_SHA512"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		version := kms.GetKMSCryptoKeyVersionOutput(ctx, kms.GetKMSCryptoKeyVersionOutputArgs{
    			CryptoKey: crypto_key.ID(),
    		}, nil)
    		note, err := containeranalysis.NewNote(ctx, "note", &containeranalysis.NoteArgs{
    			Name: pulumi.String("test-attestor-note"),
    			AttestationAuthority: &containeranalysis.NoteAttestationAuthorityArgs{
    				Hint: &containeranalysis.NoteAttestationAuthorityHintArgs{
    					HumanReadableName: pulumi.String("Attestor Note"),
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		_, err = binaryauthorization.NewAttestor(ctx, "attestor", &binaryauthorization.AttestorArgs{
    			Name: pulumi.String("test-attestor"),
    			AttestationAuthorityNote: &binaryauthorization.AttestorAttestationAuthorityNoteArgs{
    				NoteReference: note.Name,
    				PublicKeys: binaryauthorization.AttestorAttestationAuthorityNotePublicKeyArray{
    					&binaryauthorization.AttestorAttestationAuthorityNotePublicKeyArgs{
    						Id: version.ApplyT(func(version kms.GetKMSCryptoKeyVersionResult) (*string, error) {
    							return &version.Id, nil
    						}).(pulumi.StringPtrOutput),
    						PkixPublicKey: &binaryauthorization.AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyArgs{
    							PublicKeyPem: version.ApplyT(func(version kms.GetKMSCryptoKeyVersionResult) (*string, error) {
    								return &version.PublicKeys[0].Pem, nil
    							}).(pulumi.StringPtrOutput),
    							SignatureAlgorithm: version.ApplyT(func(version kms.GetKMSCryptoKeyVersionResult) (*string, error) {
    								return &version.PublicKeys[0].Algorithm, nil
    							}).(pulumi.StringPtrOutput),
    						},
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var keyring = new Gcp.Kms.KeyRing("keyring", new()
        {
            Name = "test-attestor-key-ring",
            Location = "global",
        });
    
        var crypto_key = new Gcp.Kms.CryptoKey("crypto-key", new()
        {
            Name = "test-attestor-key",
            KeyRing = keyring.Id,
            Purpose = "ASYMMETRIC_SIGN",
            VersionTemplate = new Gcp.Kms.Inputs.CryptoKeyVersionTemplateArgs
            {
                Algorithm = "RSA_SIGN_PKCS1_4096_SHA512",
            },
        });
    
        var version = Gcp.Kms.GetKMSCryptoKeyVersion.Invoke(new()
        {
            CryptoKey = crypto_key.Id,
        });
    
        var note = new Gcp.ContainerAnalysis.Note("note", new()
        {
            Name = "test-attestor-note",
            AttestationAuthority = new Gcp.ContainerAnalysis.Inputs.NoteAttestationAuthorityArgs
            {
                Hint = new Gcp.ContainerAnalysis.Inputs.NoteAttestationAuthorityHintArgs
                {
                    HumanReadableName = "Attestor Note",
                },
            },
        });
    
        var attestor = new Gcp.BinaryAuthorization.Attestor("attestor", new()
        {
            Name = "test-attestor",
            AttestationAuthorityNote = new Gcp.BinaryAuthorization.Inputs.AttestorAttestationAuthorityNoteArgs
            {
                NoteReference = note.Name,
                PublicKeys = new[]
                {
                    new Gcp.BinaryAuthorization.Inputs.AttestorAttestationAuthorityNotePublicKeyArgs
                    {
                        Id = version.Apply(getKMSCryptoKeyVersionResult => getKMSCryptoKeyVersionResult.Id),
                        PkixPublicKey = new Gcp.BinaryAuthorization.Inputs.AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyArgs
                        {
                            PublicKeyPem = version.Apply(getKMSCryptoKeyVersionResult => getKMSCryptoKeyVersionResult.PublicKeys[0]?.Pem),
                            SignatureAlgorithm = version.Apply(getKMSCryptoKeyVersionResult => getKMSCryptoKeyVersionResult.PublicKeys[0]?.Algorithm),
                        },
                    },
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.kms.KeyRing;
    import com.pulumi.gcp.kms.KeyRingArgs;
    import com.pulumi.gcp.kms.CryptoKey;
    import com.pulumi.gcp.kms.CryptoKeyArgs;
    import com.pulumi.gcp.kms.inputs.CryptoKeyVersionTemplateArgs;
    import com.pulumi.gcp.kms.KmsFunctions;
    import com.pulumi.gcp.kms.inputs.GetKMSCryptoKeyVersionArgs;
    import com.pulumi.gcp.containeranalysis.Note;
    import com.pulumi.gcp.containeranalysis.NoteArgs;
    import com.pulumi.gcp.containeranalysis.inputs.NoteAttestationAuthorityArgs;
    import com.pulumi.gcp.containeranalysis.inputs.NoteAttestationAuthorityHintArgs;
    import com.pulumi.gcp.binaryauthorization.Attestor;
    import com.pulumi.gcp.binaryauthorization.AttestorArgs;
    import com.pulumi.gcp.binaryauthorization.inputs.AttestorAttestationAuthorityNoteArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var keyring = new KeyRing("keyring", KeyRingArgs.builder()
                .name("test-attestor-key-ring")
                .location("global")
                .build());
    
            var crypto_key = new CryptoKey("crypto-key", CryptoKeyArgs.builder()
                .name("test-attestor-key")
                .keyRing(keyring.id())
                .purpose("ASYMMETRIC_SIGN")
                .versionTemplate(CryptoKeyVersionTemplateArgs.builder()
                    .algorithm("RSA_SIGN_PKCS1_4096_SHA512")
                    .build())
                .build());
    
            final var version = KmsFunctions.getKMSCryptoKeyVersion(GetKMSCryptoKeyVersionArgs.builder()
                .cryptoKey(crypto_key.id())
                .build());
    
            var note = new Note("note", NoteArgs.builder()
                .name("test-attestor-note")
                .attestationAuthority(NoteAttestationAuthorityArgs.builder()
                    .hint(NoteAttestationAuthorityHintArgs.builder()
                        .humanReadableName("Attestor Note")
                        .build())
                    .build())
                .build());
    
            var attestor = new Attestor("attestor", AttestorArgs.builder()
                .name("test-attestor")
                .attestationAuthorityNote(AttestorAttestationAuthorityNoteArgs.builder()
                    .noteReference(note.name())
                    .publicKeys(AttestorAttestationAuthorityNotePublicKeyArgs.builder()
                        .id(version.applyValue(getKMSCryptoKeyVersionResult -> getKMSCryptoKeyVersionResult).applyValue(version -> version.applyValue(getKMSCryptoKeyVersionResult -> getKMSCryptoKeyVersionResult.id())))
                        .pkixPublicKey(AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyArgs.builder()
                            .publicKeyPem(version.applyValue(getKMSCryptoKeyVersionResult -> getKMSCryptoKeyVersionResult).applyValue(version -> version.applyValue(getKMSCryptoKeyVersionResult -> getKMSCryptoKeyVersionResult.publicKeys()[0].pem())))
                            .signatureAlgorithm(version.applyValue(getKMSCryptoKeyVersionResult -> getKMSCryptoKeyVersionResult).applyValue(version -> version.applyValue(getKMSCryptoKeyVersionResult -> getKMSCryptoKeyVersionResult.publicKeys()[0].algorithm())))
                            .build())
                        .build())
                    .build())
                .build());
    
        }
    }
    
    resources:
      attestor:
        type: gcp:binaryauthorization:Attestor
        properties:
          name: test-attestor
          attestationAuthorityNote:
            noteReference: ${note.name}
            publicKeys:
              - id: ${version.id}
                pkixPublicKey:
                  publicKeyPem: ${version.publicKeys[0].pem}
                  signatureAlgorithm: ${version.publicKeys[0].algorithm}
      note:
        type: gcp:containeranalysis:Note
        properties:
          name: test-attestor-note
          attestationAuthority:
            hint:
              humanReadableName: Attestor Note
      crypto-key:
        type: gcp:kms:CryptoKey
        properties:
          name: test-attestor-key
          keyRing: ${keyring.id}
          purpose: ASYMMETRIC_SIGN
          versionTemplate:
            algorithm: RSA_SIGN_PKCS1_4096_SHA512
      keyring:
        type: gcp:kms:KeyRing
        properties:
          name: test-attestor-key-ring
          location: global
    variables:
      version:
        fn::invoke:
          Function: gcp:kms:getKMSCryptoKeyVersion
          Arguments:
            cryptoKey: ${["crypto-key"].id}
    

    Create Attestor Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new Attestor(name: string, args: AttestorArgs, opts?: CustomResourceOptions);
    @overload
    def Attestor(resource_name: str,
                 args: AttestorArgs,
                 opts: Optional[ResourceOptions] = None)
    
    @overload
    def Attestor(resource_name: str,
                 opts: Optional[ResourceOptions] = None,
                 attestation_authority_note: Optional[AttestorAttestationAuthorityNoteArgs] = None,
                 description: Optional[str] = None,
                 name: Optional[str] = None,
                 project: Optional[str] = None)
    func NewAttestor(ctx *Context, name string, args AttestorArgs, opts ...ResourceOption) (*Attestor, error)
    public Attestor(string name, AttestorArgs args, CustomResourceOptions? opts = null)
    public Attestor(String name, AttestorArgs args)
    public Attestor(String name, AttestorArgs args, CustomResourceOptions options)
    
    type: gcp:binaryauthorization:Attestor
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args AttestorArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args AttestorArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args AttestorArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args AttestorArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args AttestorArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var attestorResource = new Gcp.BinaryAuthorization.Attestor("attestorResource", new()
    {
        AttestationAuthorityNote = new Gcp.BinaryAuthorization.Inputs.AttestorAttestationAuthorityNoteArgs
        {
            NoteReference = "string",
            DelegationServiceAccountEmail = "string",
            PublicKeys = new[]
            {
                new Gcp.BinaryAuthorization.Inputs.AttestorAttestationAuthorityNotePublicKeyArgs
                {
                    AsciiArmoredPgpPublicKey = "string",
                    Comment = "string",
                    Id = "string",
                    PkixPublicKey = new Gcp.BinaryAuthorization.Inputs.AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyArgs
                    {
                        PublicKeyPem = "string",
                        SignatureAlgorithm = "string",
                    },
                },
            },
        },
        Description = "string",
        Name = "string",
        Project = "string",
    });
    
    example, err := binaryauthorization.NewAttestor(ctx, "attestorResource", &binaryauthorization.AttestorArgs{
    	AttestationAuthorityNote: &binaryauthorization.AttestorAttestationAuthorityNoteArgs{
    		NoteReference:                 pulumi.String("string"),
    		DelegationServiceAccountEmail: pulumi.String("string"),
    		PublicKeys: binaryauthorization.AttestorAttestationAuthorityNotePublicKeyArray{
    			&binaryauthorization.AttestorAttestationAuthorityNotePublicKeyArgs{
    				AsciiArmoredPgpPublicKey: pulumi.String("string"),
    				Comment:                  pulumi.String("string"),
    				Id:                       pulumi.String("string"),
    				PkixPublicKey: &binaryauthorization.AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyArgs{
    					PublicKeyPem:       pulumi.String("string"),
    					SignatureAlgorithm: pulumi.String("string"),
    				},
    			},
    		},
    	},
    	Description: pulumi.String("string"),
    	Name:        pulumi.String("string"),
    	Project:     pulumi.String("string"),
    })
    
    var attestorResource = new Attestor("attestorResource", AttestorArgs.builder()
        .attestationAuthorityNote(AttestorAttestationAuthorityNoteArgs.builder()
            .noteReference("string")
            .delegationServiceAccountEmail("string")
            .publicKeys(AttestorAttestationAuthorityNotePublicKeyArgs.builder()
                .asciiArmoredPgpPublicKey("string")
                .comment("string")
                .id("string")
                .pkixPublicKey(AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyArgs.builder()
                    .publicKeyPem("string")
                    .signatureAlgorithm("string")
                    .build())
                .build())
            .build())
        .description("string")
        .name("string")
        .project("string")
        .build());
    
    attestor_resource = gcp.binaryauthorization.Attestor("attestorResource",
        attestation_authority_note={
            "note_reference": "string",
            "delegation_service_account_email": "string",
            "public_keys": [{
                "ascii_armored_pgp_public_key": "string",
                "comment": "string",
                "id": "string",
                "pkix_public_key": {
                    "public_key_pem": "string",
                    "signature_algorithm": "string",
                },
            }],
        },
        description="string",
        name="string",
        project="string")
    
    const attestorResource = new gcp.binaryauthorization.Attestor("attestorResource", {
        attestationAuthorityNote: {
            noteReference: "string",
            delegationServiceAccountEmail: "string",
            publicKeys: [{
                asciiArmoredPgpPublicKey: "string",
                comment: "string",
                id: "string",
                pkixPublicKey: {
                    publicKeyPem: "string",
                    signatureAlgorithm: "string",
                },
            }],
        },
        description: "string",
        name: "string",
        project: "string",
    });
    
    type: gcp:binaryauthorization:Attestor
    properties:
        attestationAuthorityNote:
            delegationServiceAccountEmail: string
            noteReference: string
            publicKeys:
                - asciiArmoredPgpPublicKey: string
                  comment: string
                  id: string
                  pkixPublicKey:
                    publicKeyPem: string
                    signatureAlgorithm: string
        description: string
        name: string
        project: string
    

    Attestor Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The Attestor resource accepts the following input properties:

    AttestationAuthorityNote AttestorAttestationAuthorityNote
    A Container Analysis ATTESTATION_AUTHORITY Note, created by the user. Structure is documented below.
    Description string
    A descriptive comment. This field may be updated. The field may be displayed in chooser dialogs.
    Name string
    The resource name.
    Project string
    AttestationAuthorityNote AttestorAttestationAuthorityNoteArgs
    A Container Analysis ATTESTATION_AUTHORITY Note, created by the user. Structure is documented below.
    Description string
    A descriptive comment. This field may be updated. The field may be displayed in chooser dialogs.
    Name string
    The resource name.
    Project string
    attestationAuthorityNote AttestorAttestationAuthorityNote
    A Container Analysis ATTESTATION_AUTHORITY Note, created by the user. Structure is documented below.
    description String
    A descriptive comment. This field may be updated. The field may be displayed in chooser dialogs.
    name String
    The resource name.
    project String
    attestationAuthorityNote AttestorAttestationAuthorityNote
    A Container Analysis ATTESTATION_AUTHORITY Note, created by the user. Structure is documented below.
    description string
    A descriptive comment. This field may be updated. The field may be displayed in chooser dialogs.
    name string
    The resource name.
    project string
    attestation_authority_note AttestorAttestationAuthorityNoteArgs
    A Container Analysis ATTESTATION_AUTHORITY Note, created by the user. Structure is documented below.
    description str
    A descriptive comment. This field may be updated. The field may be displayed in chooser dialogs.
    name str
    The resource name.
    project str
    attestationAuthorityNote Property Map
    A Container Analysis ATTESTATION_AUTHORITY Note, created by the user. Structure is documented below.
    description String
    A descriptive comment. This field may be updated. The field may be displayed in chooser dialogs.
    name String
    The resource name.
    project String

    Outputs

    All input properties are implicitly available as output properties. Additionally, the Attestor resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Id string
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.
    id string
    The provider-assigned unique ID for this managed resource.
    id str
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing Attestor Resource

    Get an existing Attestor resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: AttestorState, opts?: CustomResourceOptions): Attestor
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            attestation_authority_note: Optional[AttestorAttestationAuthorityNoteArgs] = None,
            description: Optional[str] = None,
            name: Optional[str] = None,
            project: Optional[str] = None) -> Attestor
    func GetAttestor(ctx *Context, name string, id IDInput, state *AttestorState, opts ...ResourceOption) (*Attestor, error)
    public static Attestor Get(string name, Input<string> id, AttestorState? state, CustomResourceOptions? opts = null)
    public static Attestor get(String name, Output<String> id, AttestorState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AttestationAuthorityNote AttestorAttestationAuthorityNote
    A Container Analysis ATTESTATION_AUTHORITY Note, created by the user. Structure is documented below.
    Description string
    A descriptive comment. This field may be updated. The field may be displayed in chooser dialogs.
    Name string
    The resource name.
    Project string
    AttestationAuthorityNote AttestorAttestationAuthorityNoteArgs
    A Container Analysis ATTESTATION_AUTHORITY Note, created by the user. Structure is documented below.
    Description string
    A descriptive comment. This field may be updated. The field may be displayed in chooser dialogs.
    Name string
    The resource name.
    Project string
    attestationAuthorityNote AttestorAttestationAuthorityNote
    A Container Analysis ATTESTATION_AUTHORITY Note, created by the user. Structure is documented below.
    description String
    A descriptive comment. This field may be updated. The field may be displayed in chooser dialogs.
    name String
    The resource name.
    project String
    attestationAuthorityNote AttestorAttestationAuthorityNote
    A Container Analysis ATTESTATION_AUTHORITY Note, created by the user. Structure is documented below.
    description string
    A descriptive comment. This field may be updated. The field may be displayed in chooser dialogs.
    name string
    The resource name.
    project string
    attestation_authority_note AttestorAttestationAuthorityNoteArgs
    A Container Analysis ATTESTATION_AUTHORITY Note, created by the user. Structure is documented below.
    description str
    A descriptive comment. This field may be updated. The field may be displayed in chooser dialogs.
    name str
    The resource name.
    project str
    attestationAuthorityNote Property Map
    A Container Analysis ATTESTATION_AUTHORITY Note, created by the user. Structure is documented below.
    description String
    A descriptive comment. This field may be updated. The field may be displayed in chooser dialogs.
    name String
    The resource name.
    project String

    Supporting Types

    AttestorAttestationAuthorityNote, AttestorAttestationAuthorityNoteArgs

    NoteReference string
    The resource name of a ATTESTATION_AUTHORITY Note, created by the user. If the Note is in a different project from the Attestor, it should be specified in the format projects/*/notes/* (or the legacy providers/*/notes/*). This field may not be updated. An attestation by this attestor is stored as a Container Analysis ATTESTATION_AUTHORITY Occurrence that names a container image and that links to this Note.
    DelegationServiceAccountEmail string
    (Output) This field will contain the service account email address that this Attestor will use as the principal when querying Container Analysis. Attestor administrators must grant this service account the IAM role needed to read attestations from the noteReference in Container Analysis (containeranalysis.notes.occurrences.viewer). This email address is fixed for the lifetime of the Attestor, but callers should not make any other assumptions about the service account email; future versions may use an email based on a different naming pattern.
    PublicKeys List<AttestorAttestationAuthorityNotePublicKey>
    Public keys that verify attestations signed by this attestor. This field may be updated. If this field is non-empty, one of the specified public keys must verify that an attestation was signed by this attestor for the image specified in the admission request. If this field is empty, this attestor always returns that no valid attestations exist. Structure is documented below.
    NoteReference string
    The resource name of a ATTESTATION_AUTHORITY Note, created by the user. If the Note is in a different project from the Attestor, it should be specified in the format projects/*/notes/* (or the legacy providers/*/notes/*). This field may not be updated. An attestation by this attestor is stored as a Container Analysis ATTESTATION_AUTHORITY Occurrence that names a container image and that links to this Note.
    DelegationServiceAccountEmail string
    (Output) This field will contain the service account email address that this Attestor will use as the principal when querying Container Analysis. Attestor administrators must grant this service account the IAM role needed to read attestations from the noteReference in Container Analysis (containeranalysis.notes.occurrences.viewer). This email address is fixed for the lifetime of the Attestor, but callers should not make any other assumptions about the service account email; future versions may use an email based on a different naming pattern.
    PublicKeys []AttestorAttestationAuthorityNotePublicKey
    Public keys that verify attestations signed by this attestor. This field may be updated. If this field is non-empty, one of the specified public keys must verify that an attestation was signed by this attestor for the image specified in the admission request. If this field is empty, this attestor always returns that no valid attestations exist. Structure is documented below.
    noteReference String
    The resource name of a ATTESTATION_AUTHORITY Note, created by the user. If the Note is in a different project from the Attestor, it should be specified in the format projects/*/notes/* (or the legacy providers/*/notes/*). This field may not be updated. An attestation by this attestor is stored as a Container Analysis ATTESTATION_AUTHORITY Occurrence that names a container image and that links to this Note.
    delegationServiceAccountEmail String
    (Output) This field will contain the service account email address that this Attestor will use as the principal when querying Container Analysis. Attestor administrators must grant this service account the IAM role needed to read attestations from the noteReference in Container Analysis (containeranalysis.notes.occurrences.viewer). This email address is fixed for the lifetime of the Attestor, but callers should not make any other assumptions about the service account email; future versions may use an email based on a different naming pattern.
    publicKeys List<AttestorAttestationAuthorityNotePublicKey>
    Public keys that verify attestations signed by this attestor. This field may be updated. If this field is non-empty, one of the specified public keys must verify that an attestation was signed by this attestor for the image specified in the admission request. If this field is empty, this attestor always returns that no valid attestations exist. Structure is documented below.
    noteReference string
    The resource name of a ATTESTATION_AUTHORITY Note, created by the user. If the Note is in a different project from the Attestor, it should be specified in the format projects/*/notes/* (or the legacy providers/*/notes/*). This field may not be updated. An attestation by this attestor is stored as a Container Analysis ATTESTATION_AUTHORITY Occurrence that names a container image and that links to this Note.
    delegationServiceAccountEmail string
    (Output) This field will contain the service account email address that this Attestor will use as the principal when querying Container Analysis. Attestor administrators must grant this service account the IAM role needed to read attestations from the noteReference in Container Analysis (containeranalysis.notes.occurrences.viewer). This email address is fixed for the lifetime of the Attestor, but callers should not make any other assumptions about the service account email; future versions may use an email based on a different naming pattern.
    publicKeys AttestorAttestationAuthorityNotePublicKey[]
    Public keys that verify attestations signed by this attestor. This field may be updated. If this field is non-empty, one of the specified public keys must verify that an attestation was signed by this attestor for the image specified in the admission request. If this field is empty, this attestor always returns that no valid attestations exist. Structure is documented below.
    note_reference str
    The resource name of a ATTESTATION_AUTHORITY Note, created by the user. If the Note is in a different project from the Attestor, it should be specified in the format projects/*/notes/* (or the legacy providers/*/notes/*). This field may not be updated. An attestation by this attestor is stored as a Container Analysis ATTESTATION_AUTHORITY Occurrence that names a container image and that links to this Note.
    delegation_service_account_email str
    (Output) This field will contain the service account email address that this Attestor will use as the principal when querying Container Analysis. Attestor administrators must grant this service account the IAM role needed to read attestations from the noteReference in Container Analysis (containeranalysis.notes.occurrences.viewer). This email address is fixed for the lifetime of the Attestor, but callers should not make any other assumptions about the service account email; future versions may use an email based on a different naming pattern.
    public_keys Sequence[AttestorAttestationAuthorityNotePublicKey]
    Public keys that verify attestations signed by this attestor. This field may be updated. If this field is non-empty, one of the specified public keys must verify that an attestation was signed by this attestor for the image specified in the admission request. If this field is empty, this attestor always returns that no valid attestations exist. Structure is documented below.
    noteReference String
    The resource name of a ATTESTATION_AUTHORITY Note, created by the user. If the Note is in a different project from the Attestor, it should be specified in the format projects/*/notes/* (or the legacy providers/*/notes/*). This field may not be updated. An attestation by this attestor is stored as a Container Analysis ATTESTATION_AUTHORITY Occurrence that names a container image and that links to this Note.
    delegationServiceAccountEmail String
    (Output) This field will contain the service account email address that this Attestor will use as the principal when querying Container Analysis. Attestor administrators must grant this service account the IAM role needed to read attestations from the noteReference in Container Analysis (containeranalysis.notes.occurrences.viewer). This email address is fixed for the lifetime of the Attestor, but callers should not make any other assumptions about the service account email; future versions may use an email based on a different naming pattern.
    publicKeys List<Property Map>
    Public keys that verify attestations signed by this attestor. This field may be updated. If this field is non-empty, one of the specified public keys must verify that an attestation was signed by this attestor for the image specified in the admission request. If this field is empty, this attestor always returns that no valid attestations exist. Structure is documented below.

    AttestorAttestationAuthorityNotePublicKey, AttestorAttestationAuthorityNotePublicKeyArgs

    AsciiArmoredPgpPublicKey string
    ASCII-armored representation of a PGP public key, as the entire output by the command gpg --export --armor foo@example.com (either LF or CRLF line endings). When using this field, id should be left blank. The BinAuthz API handlers will calculate the ID and fill it in automatically. BinAuthz computes this ID as the OpenPGP RFC4880 V4 fingerprint, represented as upper-case hex. If id is provided by the caller, it will be overwritten by the API-calculated ID.
    Comment string
    A descriptive comment. This field may be updated.
    Id string
    The ID of this public key. Signatures verified by BinAuthz must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. Additional restrictions on this field can be imposed based on which public key type is encapsulated. See the documentation on publicKey cases below for details.
    PkixPublicKey AttestorAttestationAuthorityNotePublicKeyPkixPublicKey
    A raw PKIX SubjectPublicKeyInfo format public key. NOTE: id may be explicitly provided by the caller when using this type of public key, but it MUST be a valid RFC3986 URI. If id is left blank, a default one will be computed based on the digest of the DER encoding of the public key. Structure is documented below.
    AsciiArmoredPgpPublicKey string
    ASCII-armored representation of a PGP public key, as the entire output by the command gpg --export --armor foo@example.com (either LF or CRLF line endings). When using this field, id should be left blank. The BinAuthz API handlers will calculate the ID and fill it in automatically. BinAuthz computes this ID as the OpenPGP RFC4880 V4 fingerprint, represented as upper-case hex. If id is provided by the caller, it will be overwritten by the API-calculated ID.
    Comment string
    A descriptive comment. This field may be updated.
    Id string
    The ID of this public key. Signatures verified by BinAuthz must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. Additional restrictions on this field can be imposed based on which public key type is encapsulated. See the documentation on publicKey cases below for details.
    PkixPublicKey AttestorAttestationAuthorityNotePublicKeyPkixPublicKey
    A raw PKIX SubjectPublicKeyInfo format public key. NOTE: id may be explicitly provided by the caller when using this type of public key, but it MUST be a valid RFC3986 URI. If id is left blank, a default one will be computed based on the digest of the DER encoding of the public key. Structure is documented below.
    asciiArmoredPgpPublicKey String
    ASCII-armored representation of a PGP public key, as the entire output by the command gpg --export --armor foo@example.com (either LF or CRLF line endings). When using this field, id should be left blank. The BinAuthz API handlers will calculate the ID and fill it in automatically. BinAuthz computes this ID as the OpenPGP RFC4880 V4 fingerprint, represented as upper-case hex. If id is provided by the caller, it will be overwritten by the API-calculated ID.
    comment String
    A descriptive comment. This field may be updated.
    id String
    The ID of this public key. Signatures verified by BinAuthz must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. Additional restrictions on this field can be imposed based on which public key type is encapsulated. See the documentation on publicKey cases below for details.
    pkixPublicKey AttestorAttestationAuthorityNotePublicKeyPkixPublicKey
    A raw PKIX SubjectPublicKeyInfo format public key. NOTE: id may be explicitly provided by the caller when using this type of public key, but it MUST be a valid RFC3986 URI. If id is left blank, a default one will be computed based on the digest of the DER encoding of the public key. Structure is documented below.
    asciiArmoredPgpPublicKey string
    ASCII-armored representation of a PGP public key, as the entire output by the command gpg --export --armor foo@example.com (either LF or CRLF line endings). When using this field, id should be left blank. The BinAuthz API handlers will calculate the ID and fill it in automatically. BinAuthz computes this ID as the OpenPGP RFC4880 V4 fingerprint, represented as upper-case hex. If id is provided by the caller, it will be overwritten by the API-calculated ID.
    comment string
    A descriptive comment. This field may be updated.
    id string
    The ID of this public key. Signatures verified by BinAuthz must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. Additional restrictions on this field can be imposed based on which public key type is encapsulated. See the documentation on publicKey cases below for details.
    pkixPublicKey AttestorAttestationAuthorityNotePublicKeyPkixPublicKey
    A raw PKIX SubjectPublicKeyInfo format public key. NOTE: id may be explicitly provided by the caller when using this type of public key, but it MUST be a valid RFC3986 URI. If id is left blank, a default one will be computed based on the digest of the DER encoding of the public key. Structure is documented below.
    ascii_armored_pgp_public_key str
    ASCII-armored representation of a PGP public key, as the entire output by the command gpg --export --armor foo@example.com (either LF or CRLF line endings). When using this field, id should be left blank. The BinAuthz API handlers will calculate the ID and fill it in automatically. BinAuthz computes this ID as the OpenPGP RFC4880 V4 fingerprint, represented as upper-case hex. If id is provided by the caller, it will be overwritten by the API-calculated ID.
    comment str
    A descriptive comment. This field may be updated.
    id str
    The ID of this public key. Signatures verified by BinAuthz must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. Additional restrictions on this field can be imposed based on which public key type is encapsulated. See the documentation on publicKey cases below for details.
    pkix_public_key AttestorAttestationAuthorityNotePublicKeyPkixPublicKey
    A raw PKIX SubjectPublicKeyInfo format public key. NOTE: id may be explicitly provided by the caller when using this type of public key, but it MUST be a valid RFC3986 URI. If id is left blank, a default one will be computed based on the digest of the DER encoding of the public key. Structure is documented below.
    asciiArmoredPgpPublicKey String
    ASCII-armored representation of a PGP public key, as the entire output by the command gpg --export --armor foo@example.com (either LF or CRLF line endings). When using this field, id should be left blank. The BinAuthz API handlers will calculate the ID and fill it in automatically. BinAuthz computes this ID as the OpenPGP RFC4880 V4 fingerprint, represented as upper-case hex. If id is provided by the caller, it will be overwritten by the API-calculated ID.
    comment String
    A descriptive comment. This field may be updated.
    id String
    The ID of this public key. Signatures verified by BinAuthz must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. Additional restrictions on this field can be imposed based on which public key type is encapsulated. See the documentation on publicKey cases below for details.
    pkixPublicKey Property Map
    A raw PKIX SubjectPublicKeyInfo format public key. NOTE: id may be explicitly provided by the caller when using this type of public key, but it MUST be a valid RFC3986 URI. If id is left blank, a default one will be computed based on the digest of the DER encoding of the public key. Structure is documented below.

    AttestorAttestationAuthorityNotePublicKeyPkixPublicKey, AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyArgs

    PublicKeyPem string
    A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
    SignatureAlgorithm string
    The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in publicKeyPem (i.e. this algorithm must match that of the public key).


    PublicKeyPem string
    A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
    SignatureAlgorithm string
    The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in publicKeyPem (i.e. this algorithm must match that of the public key).


    publicKeyPem String
    A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
    signatureAlgorithm String
    The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in publicKeyPem (i.e. this algorithm must match that of the public key).


    publicKeyPem string
    A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
    signatureAlgorithm string
    The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in publicKeyPem (i.e. this algorithm must match that of the public key).


    public_key_pem str
    A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
    signature_algorithm str
    The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in publicKeyPem (i.e. this algorithm must match that of the public key).


    publicKeyPem String
    A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
    signatureAlgorithm String
    The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in publicKeyPem (i.e. this algorithm must match that of the public key).


    Import

    Attestor can be imported using any of these accepted formats:

    • projects/{{project}}/attestors/{{name}}

    • {{project}}/{{name}}

    • {{name}}

    When using the pulumi import command, Attestor can be imported using one of the formats above. For example:

    $ pulumi import gcp:binaryauthorization/attestor:Attestor default projects/{{project}}/attestors/{{name}}
    
    $ pulumi import gcp:binaryauthorization/attestor:Attestor default {{project}}/{{name}}
    
    $ pulumi import gcp:binaryauthorization/attestor:Attestor default {{name}}
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Google Cloud (GCP) Classic pulumi/pulumi-gcp
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the google-beta Terraform Provider.
    gcp logo
    Google Cloud Classic v8.9.3 published on Monday, Nov 18, 2024 by Pulumi