1<html><body> 2<style> 3 4body, h1, h2, h3, div, span, p, pre, a { 5 margin: 0; 6 padding: 0; 7 border: 0; 8 font-weight: inherit; 9 font-style: inherit; 10 font-size: 100%; 11 font-family: inherit; 12 vertical-align: baseline; 13} 14 15body { 16 font-size: 13px; 17 padding: 1em; 18} 19 20h1 { 21 font-size: 26px; 22 margin-bottom: 1em; 23} 24 25h2 { 26 font-size: 24px; 27 margin-bottom: 1em; 28} 29 30h3 { 31 font-size: 20px; 32 margin-bottom: 1em; 33 margin-top: 1em; 34} 35 36pre, code { 37 line-height: 1.5; 38 font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; 39} 40 41pre { 42 margin-top: 0.5em; 43} 44 45h1, h2, h3, p { 46 font-family: Arial, sans serif; 47} 48 49h1, h2, h3 { 50 border-bottom: solid #CCC 1px; 51} 52 53.toc_element { 54 margin-top: 0.5em; 55} 56 57.firstline { 58 margin-left: 2 em; 59} 60 61.method { 62 margin-top: 1em; 63 border: solid 1px #CCC; 64 padding: 1em; 65 background: #EEE; 66} 67 68.details { 69 font-weight: bold; 70 font-size: 14px; 71} 72 73</style> 74 75<h1><a href="binaryauthorization_v1beta1.html">Binary Authorization API</a> . <a href="binaryauthorization_v1beta1.projects.html">projects</a> . <a href="binaryauthorization_v1beta1.projects.attestors.html">attestors</a></h1> 76<h2>Instance Methods</h2> 77<p class="toc_element"> 78 <code><a href="#create">create(parent, body, attestorId=None, x__xgafv=None)</a></code></p> 79<p class="firstline">Creates an attestor, and returns a copy of the new</p> 80<p class="toc_element"> 81 <code><a href="#delete">delete(name, x__xgafv=None)</a></code></p> 82<p class="firstline">Deletes an attestor. Returns NOT_FOUND if the</p> 83<p class="toc_element"> 84 <code><a href="#get">get(name, x__xgafv=None)</a></code></p> 85<p class="firstline">Gets an attestor.</p> 86<p class="toc_element"> 87 <code><a href="#getIamPolicy">getIamPolicy(resource, x__xgafv=None)</a></code></p> 88<p class="firstline">Gets the access control policy for a resource.</p> 89<p class="toc_element"> 90 <code><a href="#list">list(parent, pageToken=None, x__xgafv=None, pageSize=None)</a></code></p> 91<p class="firstline">Lists attestors.</p> 92<p class="toc_element"> 93 <code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p> 94<p class="firstline">Retrieves the next page of results.</p> 95<p class="toc_element"> 96 <code><a href="#setIamPolicy">setIamPolicy(resource, body, x__xgafv=None)</a></code></p> 97<p class="firstline">Sets the access control policy on the specified resource. Replaces any</p> 98<p class="toc_element"> 99 <code><a href="#testIamPermissions">testIamPermissions(resource, body, x__xgafv=None)</a></code></p> 100<p class="firstline">Returns permissions that a caller has on the specified resource.</p> 101<p class="toc_element"> 102 <code><a href="#update">update(name, body, x__xgafv=None)</a></code></p> 103<p class="firstline">Updates an attestor.</p> 104<h3>Method Details</h3> 105<div class="method"> 106 <code class="details" id="create">create(parent, body, attestorId=None, x__xgafv=None)</code> 107 <pre>Creates an attestor, and returns a copy of the new 108attestor. Returns NOT_FOUND if the project does not exist, 109INVALID_ARGUMENT if the request is malformed, ALREADY_EXISTS if the 110attestor already exists. 111 112Args: 113 parent: string, Required. The parent of this attestor. (required) 114 body: object, The request body. (required) 115 The object takes the form of: 116 117{ # An attestor that attests to container image 118 # artifacts. An existing attestor cannot be modified except where 119 # indicated. 120 "updateTime": "A String", # Output only. Time when the attestor was last updated. 121 "description": "A String", # Optional. A descriptive comment. This field may be updated. 122 # The field may be displayed in chooser dialogs. 123 "userOwnedDrydockNote": { # An user owned drydock note references a Drydock # A Drydock ATTESTATION_AUTHORITY Note, created by the user. 124 # ATTESTATION_AUTHORITY Note created by the user. 125 "delegationServiceAccountEmail": "A String", # Output only. This field will contain the service account email address 126 # that this Attestor will use as the principal when querying Container 127 # Analysis. Attestor administrators must grant this service account the 128 # IAM role needed to read attestations from the note_reference in 129 # Container Analysis (`containeranalysis.notes.occurrences.viewer`). 130 # 131 # This email address is fixed for the lifetime of the Attestor, but callers 132 # should not make any other assumptions about the service account email; 133 # future versions may use an email based on a different naming pattern. 134 "noteReference": "A String", # Required. The Drydock resource name of a ATTESTATION_AUTHORITY Note, 135 # created by the user, in the format: `projects/*/notes/*` (or the legacy 136 # `providers/*/notes/*`). This field may not be updated. 137 # 138 # An attestation by this attestor is stored as a Drydock 139 # ATTESTATION_AUTHORITY Occurrence that names a container image and that 140 # links to this Note. Drydock is an external dependency. 141 "publicKeys": [ # Optional. Public keys that verify attestations signed by this 142 # attestor. This field may be updated. 143 # 144 # If this field is non-empty, one of the specified public keys must 145 # verify that an attestation was signed by this attestor for the 146 # image specified in the admission request. 147 # 148 # If this field is empty, this attestor always returns that no 149 # valid attestations exist. 150 { # An attestor public key that will be used to verify 151 # attestations signed by this attestor. 152 "comment": "A String", # Optional. A descriptive comment. This field may be updated. 153 "asciiArmoredPgpPublicKey": "A String", # ASCII-armored representation of a PGP public key, as the entire output by 154 # the command `gpg --export --armor foo@example.com` (either LF or CRLF 155 # line endings). 156 # When using this field, `id` should be left blank. The BinAuthz API 157 # handlers will calculate the ID and fill it in automatically. BinAuthz 158 # computes this ID as the OpenPGP RFC4880 V4 fingerprint, represented as 159 # upper-case hex. If `id` is provided by the caller, it will be 160 # overwritten by the API-calculated ID. 161 "id": "A String", # The ID of this public key. 162 # Signatures verified by BinAuthz must include the ID of the public key that 163 # can be used to verify them, and that ID must match the contents of this 164 # field exactly. 165 # Additional restrictions on this field can be imposed based on which public 166 # key type is encapsulated. See the documentation on `public_key` cases below 167 # for details. 168 "pkixPublicKey": { # A public key in the PkixPublicKey format (see # A raw PKIX SubjectPublicKeyInfo format public key. 169 # 170 # NOTE: `id` may be explicitly provided by the caller when using this 171 # type of public key, but it MUST be a valid RFC3986 URI. If `id` is left 172 # blank, a default one will be computed based on the digest of the DER 173 # encoding of the public key. 174 # https://tools.ietf.org/html/rfc5280#section-4.1.2.7 for details). 175 # Public keys of this type are typically textually encoded using the PEM 176 # format. 177 "publicKeyPem": "A String", # A PEM-encoded public key, as described in 178 # https://tools.ietf.org/html/rfc7468#section-13 179 "signatureAlgorithm": "A String", # The signature algorithm used to verify a message against a signature using 180 # this key. 181 # These signature algorithm must match the structure and any object 182 # identifiers encoded in `public_key_pem` (i.e. this algorithm must match 183 # that of the public key). 184 }, 185 }, 186 ], 187 }, 188 "name": "A String", # Required. The resource name, in the format: 189 # `projects/*/attestors/*`. This field may not be updated. 190} 191 192 attestorId: string, Required. The attestors ID. 193 x__xgafv: string, V1 error format. 194 Allowed values 195 1 - v1 error format 196 2 - v2 error format 197 198Returns: 199 An object of the form: 200 201 { # An attestor that attests to container image 202 # artifacts. An existing attestor cannot be modified except where 203 # indicated. 204 "updateTime": "A String", # Output only. Time when the attestor was last updated. 205 "description": "A String", # Optional. A descriptive comment. This field may be updated. 206 # The field may be displayed in chooser dialogs. 207 "userOwnedDrydockNote": { # An user owned drydock note references a Drydock # A Drydock ATTESTATION_AUTHORITY Note, created by the user. 208 # ATTESTATION_AUTHORITY Note created by the user. 209 "delegationServiceAccountEmail": "A String", # Output only. This field will contain the service account email address 210 # that this Attestor will use as the principal when querying Container 211 # Analysis. Attestor administrators must grant this service account the 212 # IAM role needed to read attestations from the note_reference in 213 # Container Analysis (`containeranalysis.notes.occurrences.viewer`). 214 # 215 # This email address is fixed for the lifetime of the Attestor, but callers 216 # should not make any other assumptions about the service account email; 217 # future versions may use an email based on a different naming pattern. 218 "noteReference": "A String", # Required. The Drydock resource name of a ATTESTATION_AUTHORITY Note, 219 # created by the user, in the format: `projects/*/notes/*` (or the legacy 220 # `providers/*/notes/*`). This field may not be updated. 221 # 222 # An attestation by this attestor is stored as a Drydock 223 # ATTESTATION_AUTHORITY Occurrence that names a container image and that 224 # links to this Note. Drydock is an external dependency. 225 "publicKeys": [ # Optional. Public keys that verify attestations signed by this 226 # attestor. This field may be updated. 227 # 228 # If this field is non-empty, one of the specified public keys must 229 # verify that an attestation was signed by this attestor for the 230 # image specified in the admission request. 231 # 232 # If this field is empty, this attestor always returns that no 233 # valid attestations exist. 234 { # An attestor public key that will be used to verify 235 # attestations signed by this attestor. 236 "comment": "A String", # Optional. A descriptive comment. This field may be updated. 237 "asciiArmoredPgpPublicKey": "A String", # ASCII-armored representation of a PGP public key, as the entire output by 238 # the command `gpg --export --armor foo@example.com` (either LF or CRLF 239 # line endings). 240 # When using this field, `id` should be left blank. The BinAuthz API 241 # handlers will calculate the ID and fill it in automatically. BinAuthz 242 # computes this ID as the OpenPGP RFC4880 V4 fingerprint, represented as 243 # upper-case hex. If `id` is provided by the caller, it will be 244 # overwritten by the API-calculated ID. 245 "id": "A String", # The ID of this public key. 246 # Signatures verified by BinAuthz must include the ID of the public key that 247 # can be used to verify them, and that ID must match the contents of this 248 # field exactly. 249 # Additional restrictions on this field can be imposed based on which public 250 # key type is encapsulated. See the documentation on `public_key` cases below 251 # for details. 252 "pkixPublicKey": { # A public key in the PkixPublicKey format (see # A raw PKIX SubjectPublicKeyInfo format public key. 253 # 254 # NOTE: `id` may be explicitly provided by the caller when using this 255 # type of public key, but it MUST be a valid RFC3986 URI. If `id` is left 256 # blank, a default one will be computed based on the digest of the DER 257 # encoding of the public key. 258 # https://tools.ietf.org/html/rfc5280#section-4.1.2.7 for details). 259 # Public keys of this type are typically textually encoded using the PEM 260 # format. 261 "publicKeyPem": "A String", # A PEM-encoded public key, as described in 262 # https://tools.ietf.org/html/rfc7468#section-13 263 "signatureAlgorithm": "A String", # The signature algorithm used to verify a message against a signature using 264 # this key. 265 # These signature algorithm must match the structure and any object 266 # identifiers encoded in `public_key_pem` (i.e. this algorithm must match 267 # that of the public key). 268 }, 269 }, 270 ], 271 }, 272 "name": "A String", # Required. The resource name, in the format: 273 # `projects/*/attestors/*`. This field may not be updated. 274 }</pre> 275</div> 276 277<div class="method"> 278 <code class="details" id="delete">delete(name, x__xgafv=None)</code> 279 <pre>Deletes an attestor. Returns NOT_FOUND if the 280attestor does not exist. 281 282Args: 283 name: string, Required. The name of the attestors to delete, in the format 284`projects/*/attestors/*`. (required) 285 x__xgafv: string, V1 error format. 286 Allowed values 287 1 - v1 error format 288 2 - v2 error format 289 290Returns: 291 An object of the form: 292 293 { # A generic empty message that you can re-use to avoid defining duplicated 294 # empty messages in your APIs. A typical example is to use it as the request 295 # or the response type of an API method. For instance: 296 # 297 # service Foo { 298 # rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); 299 # } 300 # 301 # The JSON representation for `Empty` is empty JSON object `{}`. 302 }</pre> 303</div> 304 305<div class="method"> 306 <code class="details" id="get">get(name, x__xgafv=None)</code> 307 <pre>Gets an attestor. 308Returns NOT_FOUND if the attestor does not exist. 309 310Args: 311 name: string, Required. The name of the attestor to retrieve, in the format 312`projects/*/attestors/*`. (required) 313 x__xgafv: string, V1 error format. 314 Allowed values 315 1 - v1 error format 316 2 - v2 error format 317 318Returns: 319 An object of the form: 320 321 { # An attestor that attests to container image 322 # artifacts. An existing attestor cannot be modified except where 323 # indicated. 324 "updateTime": "A String", # Output only. Time when the attestor was last updated. 325 "description": "A String", # Optional. A descriptive comment. This field may be updated. 326 # The field may be displayed in chooser dialogs. 327 "userOwnedDrydockNote": { # An user owned drydock note references a Drydock # A Drydock ATTESTATION_AUTHORITY Note, created by the user. 328 # ATTESTATION_AUTHORITY Note created by the user. 329 "delegationServiceAccountEmail": "A String", # Output only. This field will contain the service account email address 330 # that this Attestor will use as the principal when querying Container 331 # Analysis. Attestor administrators must grant this service account the 332 # IAM role needed to read attestations from the note_reference in 333 # Container Analysis (`containeranalysis.notes.occurrences.viewer`). 334 # 335 # This email address is fixed for the lifetime of the Attestor, but callers 336 # should not make any other assumptions about the service account email; 337 # future versions may use an email based on a different naming pattern. 338 "noteReference": "A String", # Required. The Drydock resource name of a ATTESTATION_AUTHORITY Note, 339 # created by the user, in the format: `projects/*/notes/*` (or the legacy 340 # `providers/*/notes/*`). This field may not be updated. 341 # 342 # An attestation by this attestor is stored as a Drydock 343 # ATTESTATION_AUTHORITY Occurrence that names a container image and that 344 # links to this Note. Drydock is an external dependency. 345 "publicKeys": [ # Optional. Public keys that verify attestations signed by this 346 # attestor. This field may be updated. 347 # 348 # If this field is non-empty, one of the specified public keys must 349 # verify that an attestation was signed by this attestor for the 350 # image specified in the admission request. 351 # 352 # If this field is empty, this attestor always returns that no 353 # valid attestations exist. 354 { # An attestor public key that will be used to verify 355 # attestations signed by this attestor. 356 "comment": "A String", # Optional. A descriptive comment. This field may be updated. 357 "asciiArmoredPgpPublicKey": "A String", # ASCII-armored representation of a PGP public key, as the entire output by 358 # the command `gpg --export --armor foo@example.com` (either LF or CRLF 359 # line endings). 360 # When using this field, `id` should be left blank. The BinAuthz API 361 # handlers will calculate the ID and fill it in automatically. BinAuthz 362 # computes this ID as the OpenPGP RFC4880 V4 fingerprint, represented as 363 # upper-case hex. If `id` is provided by the caller, it will be 364 # overwritten by the API-calculated ID. 365 "id": "A String", # The ID of this public key. 366 # Signatures verified by BinAuthz must include the ID of the public key that 367 # can be used to verify them, and that ID must match the contents of this 368 # field exactly. 369 # Additional restrictions on this field can be imposed based on which public 370 # key type is encapsulated. See the documentation on `public_key` cases below 371 # for details. 372 "pkixPublicKey": { # A public key in the PkixPublicKey format (see # A raw PKIX SubjectPublicKeyInfo format public key. 373 # 374 # NOTE: `id` may be explicitly provided by the caller when using this 375 # type of public key, but it MUST be a valid RFC3986 URI. If `id` is left 376 # blank, a default one will be computed based on the digest of the DER 377 # encoding of the public key. 378 # https://tools.ietf.org/html/rfc5280#section-4.1.2.7 for details). 379 # Public keys of this type are typically textually encoded using the PEM 380 # format. 381 "publicKeyPem": "A String", # A PEM-encoded public key, as described in 382 # https://tools.ietf.org/html/rfc7468#section-13 383 "signatureAlgorithm": "A String", # The signature algorithm used to verify a message against a signature using 384 # this key. 385 # These signature algorithm must match the structure and any object 386 # identifiers encoded in `public_key_pem` (i.e. this algorithm must match 387 # that of the public key). 388 }, 389 }, 390 ], 391 }, 392 "name": "A String", # Required. The resource name, in the format: 393 # `projects/*/attestors/*`. This field may not be updated. 394 }</pre> 395</div> 396 397<div class="method"> 398 <code class="details" id="getIamPolicy">getIamPolicy(resource, x__xgafv=None)</code> 399 <pre>Gets the access control policy for a resource. 400Returns an empty policy if the resource exists and does not have a policy 401set. 402 403Args: 404 resource: string, REQUIRED: The resource for which the policy is being requested. 405See the operation documentation for the appropriate value for this field. (required) 406 x__xgafv: string, V1 error format. 407 Allowed values 408 1 - v1 error format 409 2 - v2 error format 410 411Returns: 412 An object of the form: 413 414 { # Defines an Identity and Access Management (IAM) policy. It is used to 415 # specify access control policies for Cloud Platform resources. 416 # 417 # 418 # A `Policy` consists of a list of `bindings`. A `binding` binds a list of 419 # `members` to a `role`, where the members can be user accounts, Google groups, 420 # Google domains, and service accounts. A `role` is a named list of permissions 421 # defined by IAM. 422 # 423 # **JSON Example** 424 # 425 # { 426 # "bindings": [ 427 # { 428 # "role": "roles/owner", 429 # "members": [ 430 # "user:mike@example.com", 431 # "group:admins@example.com", 432 # "domain:google.com", 433 # "serviceAccount:my-other-app@appspot.gserviceaccount.com" 434 # ] 435 # }, 436 # { 437 # "role": "roles/viewer", 438 # "members": ["user:sean@example.com"] 439 # } 440 # ] 441 # } 442 # 443 # **YAML Example** 444 # 445 # bindings: 446 # - members: 447 # - user:mike@example.com 448 # - group:admins@example.com 449 # - domain:google.com 450 # - serviceAccount:my-other-app@appspot.gserviceaccount.com 451 # role: roles/owner 452 # - members: 453 # - user:sean@example.com 454 # role: roles/viewer 455 # 456 # 457 # For a description of IAM and its features, see the 458 # [IAM developer's guide](https://cloud.google.com/iam/docs). 459 "bindings": [ # Associates a list of `members` to a `role`. 460 # `bindings` with no members will result in an error. 461 { # Associates `members` with a `role`. 462 "role": "A String", # Role that is assigned to `members`. 463 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 464 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. 465 # `members` can have the following values: 466 # 467 # * `allUsers`: A special identifier that represents anyone who is 468 # on the internet; with or without a Google account. 469 # 470 # * `allAuthenticatedUsers`: A special identifier that represents anyone 471 # who is authenticated with a Google account or a service account. 472 # 473 # * `user:{emailid}`: An email address that represents a specific Google 474 # account. For example, `alice@gmail.com` . 475 # 476 # 477 # * `serviceAccount:{emailid}`: An email address that represents a service 478 # account. For example, `my-other-app@appspot.gserviceaccount.com`. 479 # 480 # * `group:{emailid}`: An email address that represents a Google group. 481 # For example, `admins@example.com`. 482 # 483 # 484 # * `domain:{domain}`: The G Suite domain (primary) that represents all the 485 # users of that domain. For example, `google.com` or `example.com`. 486 # 487 "A String", 488 ], 489 "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. 490 # NOTE: An unsatisfied condition will not allow user access via current 491 # binding. Different bindings, including their conditions, are examined 492 # independently. 493 # 494 # title: "User account presence" 495 # description: "Determines whether the request has a user account" 496 # expression: "size(request.user) > 0" 497 "location": "A String", # An optional string indicating the location of the expression for error 498 # reporting, e.g. a file name and a position in the file. 499 "expression": "A String", # Textual representation of an expression in 500 # Common Expression Language syntax. 501 # 502 # The application context of the containing message determines which 503 # well-known feature set of CEL is supported. 504 "description": "A String", # An optional description of the expression. This is a longer text which 505 # describes the expression, e.g. when hovered over it in a UI. 506 "title": "A String", # An optional title for the expression, i.e. a short string describing 507 # its purpose. This can be used e.g. in UIs which allow to enter the 508 # expression. 509 }, 510 }, 511 ], 512 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help 513 # prevent simultaneous updates of a policy from overwriting each other. 514 # It is strongly suggested that systems make use of the `etag` in the 515 # read-modify-write cycle to perform policy updates in order to avoid race 516 # conditions: An `etag` is returned in the response to `getIamPolicy`, and 517 # systems are expected to put that etag in the request to `setIamPolicy` to 518 # ensure that their change will be applied to the same version of the policy. 519 # 520 # If no `etag` is provided in the call to `setIamPolicy`, then the existing 521 # policy is overwritten blindly. 522 "version": 42, # Deprecated. 523 }</pre> 524</div> 525 526<div class="method"> 527 <code class="details" id="list">list(parent, pageToken=None, x__xgafv=None, pageSize=None)</code> 528 <pre>Lists attestors. 529Returns INVALID_ARGUMENT if the project does not exist. 530 531Args: 532 parent: string, Required. The resource name of the project associated with the 533attestors, in the format `projects/*`. (required) 534 pageToken: string, A token identifying a page of results the server should return. Typically, 535this is the value of ListAttestorsResponse.next_page_token returned 536from the previous call to the `ListAttestors` method. 537 x__xgafv: string, V1 error format. 538 Allowed values 539 1 - v1 error format 540 2 - v2 error format 541 pageSize: integer, Requested page size. The server may return fewer results than requested. If 542unspecified, the server will pick an appropriate default. 543 544Returns: 545 An object of the form: 546 547 { # Response message for BinauthzManagementService.ListAttestors. 548 "nextPageToken": "A String", # A token to retrieve the next page of results. Pass this value in the 549 # ListAttestorsRequest.page_token field in the subsequent call to the 550 # `ListAttestors` method to retrieve the next page of results. 551 "attestors": [ # The list of attestors. 552 { # An attestor that attests to container image 553 # artifacts. An existing attestor cannot be modified except where 554 # indicated. 555 "updateTime": "A String", # Output only. Time when the attestor was last updated. 556 "description": "A String", # Optional. A descriptive comment. This field may be updated. 557 # The field may be displayed in chooser dialogs. 558 "userOwnedDrydockNote": { # An user owned drydock note references a Drydock # A Drydock ATTESTATION_AUTHORITY Note, created by the user. 559 # ATTESTATION_AUTHORITY Note created by the user. 560 "delegationServiceAccountEmail": "A String", # Output only. This field will contain the service account email address 561 # that this Attestor will use as the principal when querying Container 562 # Analysis. Attestor administrators must grant this service account the 563 # IAM role needed to read attestations from the note_reference in 564 # Container Analysis (`containeranalysis.notes.occurrences.viewer`). 565 # 566 # This email address is fixed for the lifetime of the Attestor, but callers 567 # should not make any other assumptions about the service account email; 568 # future versions may use an email based on a different naming pattern. 569 "noteReference": "A String", # Required. The Drydock resource name of a ATTESTATION_AUTHORITY Note, 570 # created by the user, in the format: `projects/*/notes/*` (or the legacy 571 # `providers/*/notes/*`). This field may not be updated. 572 # 573 # An attestation by this attestor is stored as a Drydock 574 # ATTESTATION_AUTHORITY Occurrence that names a container image and that 575 # links to this Note. Drydock is an external dependency. 576 "publicKeys": [ # Optional. Public keys that verify attestations signed by this 577 # attestor. This field may be updated. 578 # 579 # If this field is non-empty, one of the specified public keys must 580 # verify that an attestation was signed by this attestor for the 581 # image specified in the admission request. 582 # 583 # If this field is empty, this attestor always returns that no 584 # valid attestations exist. 585 { # An attestor public key that will be used to verify 586 # attestations signed by this attestor. 587 "comment": "A String", # Optional. A descriptive comment. This field may be updated. 588 "asciiArmoredPgpPublicKey": "A String", # ASCII-armored representation of a PGP public key, as the entire output by 589 # the command `gpg --export --armor foo@example.com` (either LF or CRLF 590 # line endings). 591 # When using this field, `id` should be left blank. The BinAuthz API 592 # handlers will calculate the ID and fill it in automatically. BinAuthz 593 # computes this ID as the OpenPGP RFC4880 V4 fingerprint, represented as 594 # upper-case hex. If `id` is provided by the caller, it will be 595 # overwritten by the API-calculated ID. 596 "id": "A String", # The ID of this public key. 597 # Signatures verified by BinAuthz must include the ID of the public key that 598 # can be used to verify them, and that ID must match the contents of this 599 # field exactly. 600 # Additional restrictions on this field can be imposed based on which public 601 # key type is encapsulated. See the documentation on `public_key` cases below 602 # for details. 603 "pkixPublicKey": { # A public key in the PkixPublicKey format (see # A raw PKIX SubjectPublicKeyInfo format public key. 604 # 605 # NOTE: `id` may be explicitly provided by the caller when using this 606 # type of public key, but it MUST be a valid RFC3986 URI. If `id` is left 607 # blank, a default one will be computed based on the digest of the DER 608 # encoding of the public key. 609 # https://tools.ietf.org/html/rfc5280#section-4.1.2.7 for details). 610 # Public keys of this type are typically textually encoded using the PEM 611 # format. 612 "publicKeyPem": "A String", # A PEM-encoded public key, as described in 613 # https://tools.ietf.org/html/rfc7468#section-13 614 "signatureAlgorithm": "A String", # The signature algorithm used to verify a message against a signature using 615 # this key. 616 # These signature algorithm must match the structure and any object 617 # identifiers encoded in `public_key_pem` (i.e. this algorithm must match 618 # that of the public key). 619 }, 620 }, 621 ], 622 }, 623 "name": "A String", # Required. The resource name, in the format: 624 # `projects/*/attestors/*`. This field may not be updated. 625 }, 626 ], 627 }</pre> 628</div> 629 630<div class="method"> 631 <code class="details" id="list_next">list_next(previous_request, previous_response)</code> 632 <pre>Retrieves the next page of results. 633 634Args: 635 previous_request: The request for the previous page. (required) 636 previous_response: The response from the request for the previous page. (required) 637 638Returns: 639 A request object that you can call 'execute()' on to request the next 640 page. Returns None if there are no more items in the collection. 641 </pre> 642</div> 643 644<div class="method"> 645 <code class="details" id="setIamPolicy">setIamPolicy(resource, body, x__xgafv=None)</code> 646 <pre>Sets the access control policy on the specified resource. Replaces any 647existing policy. 648 649Args: 650 resource: string, REQUIRED: The resource for which the policy is being specified. 651See the operation documentation for the appropriate value for this field. (required) 652 body: object, The request body. (required) 653 The object takes the form of: 654 655{ # Request message for `SetIamPolicy` method. 656 "policy": { # Defines an Identity and Access Management (IAM) policy. It is used to # REQUIRED: The complete policy to be applied to the `resource`. The size of 657 # the policy is limited to a few 10s of KB. An empty policy is a 658 # valid policy but certain Cloud Platform services (such as Projects) 659 # might reject them. 660 # specify access control policies for Cloud Platform resources. 661 # 662 # 663 # A `Policy` consists of a list of `bindings`. A `binding` binds a list of 664 # `members` to a `role`, where the members can be user accounts, Google groups, 665 # Google domains, and service accounts. A `role` is a named list of permissions 666 # defined by IAM. 667 # 668 # **JSON Example** 669 # 670 # { 671 # "bindings": [ 672 # { 673 # "role": "roles/owner", 674 # "members": [ 675 # "user:mike@example.com", 676 # "group:admins@example.com", 677 # "domain:google.com", 678 # "serviceAccount:my-other-app@appspot.gserviceaccount.com" 679 # ] 680 # }, 681 # { 682 # "role": "roles/viewer", 683 # "members": ["user:sean@example.com"] 684 # } 685 # ] 686 # } 687 # 688 # **YAML Example** 689 # 690 # bindings: 691 # - members: 692 # - user:mike@example.com 693 # - group:admins@example.com 694 # - domain:google.com 695 # - serviceAccount:my-other-app@appspot.gserviceaccount.com 696 # role: roles/owner 697 # - members: 698 # - user:sean@example.com 699 # role: roles/viewer 700 # 701 # 702 # For a description of IAM and its features, see the 703 # [IAM developer's guide](https://cloud.google.com/iam/docs). 704 "bindings": [ # Associates a list of `members` to a `role`. 705 # `bindings` with no members will result in an error. 706 { # Associates `members` with a `role`. 707 "role": "A String", # Role that is assigned to `members`. 708 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 709 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. 710 # `members` can have the following values: 711 # 712 # * `allUsers`: A special identifier that represents anyone who is 713 # on the internet; with or without a Google account. 714 # 715 # * `allAuthenticatedUsers`: A special identifier that represents anyone 716 # who is authenticated with a Google account or a service account. 717 # 718 # * `user:{emailid}`: An email address that represents a specific Google 719 # account. For example, `alice@gmail.com` . 720 # 721 # 722 # * `serviceAccount:{emailid}`: An email address that represents a service 723 # account. For example, `my-other-app@appspot.gserviceaccount.com`. 724 # 725 # * `group:{emailid}`: An email address that represents a Google group. 726 # For example, `admins@example.com`. 727 # 728 # 729 # * `domain:{domain}`: The G Suite domain (primary) that represents all the 730 # users of that domain. For example, `google.com` or `example.com`. 731 # 732 "A String", 733 ], 734 "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. 735 # NOTE: An unsatisfied condition will not allow user access via current 736 # binding. Different bindings, including their conditions, are examined 737 # independently. 738 # 739 # title: "User account presence" 740 # description: "Determines whether the request has a user account" 741 # expression: "size(request.user) > 0" 742 "location": "A String", # An optional string indicating the location of the expression for error 743 # reporting, e.g. a file name and a position in the file. 744 "expression": "A String", # Textual representation of an expression in 745 # Common Expression Language syntax. 746 # 747 # The application context of the containing message determines which 748 # well-known feature set of CEL is supported. 749 "description": "A String", # An optional description of the expression. This is a longer text which 750 # describes the expression, e.g. when hovered over it in a UI. 751 "title": "A String", # An optional title for the expression, i.e. a short string describing 752 # its purpose. This can be used e.g. in UIs which allow to enter the 753 # expression. 754 }, 755 }, 756 ], 757 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help 758 # prevent simultaneous updates of a policy from overwriting each other. 759 # It is strongly suggested that systems make use of the `etag` in the 760 # read-modify-write cycle to perform policy updates in order to avoid race 761 # conditions: An `etag` is returned in the response to `getIamPolicy`, and 762 # systems are expected to put that etag in the request to `setIamPolicy` to 763 # ensure that their change will be applied to the same version of the policy. 764 # 765 # If no `etag` is provided in the call to `setIamPolicy`, then the existing 766 # policy is overwritten blindly. 767 "version": 42, # Deprecated. 768 }, 769 } 770 771 x__xgafv: string, V1 error format. 772 Allowed values 773 1 - v1 error format 774 2 - v2 error format 775 776Returns: 777 An object of the form: 778 779 { # Defines an Identity and Access Management (IAM) policy. It is used to 780 # specify access control policies for Cloud Platform resources. 781 # 782 # 783 # A `Policy` consists of a list of `bindings`. A `binding` binds a list of 784 # `members` to a `role`, where the members can be user accounts, Google groups, 785 # Google domains, and service accounts. A `role` is a named list of permissions 786 # defined by IAM. 787 # 788 # **JSON Example** 789 # 790 # { 791 # "bindings": [ 792 # { 793 # "role": "roles/owner", 794 # "members": [ 795 # "user:mike@example.com", 796 # "group:admins@example.com", 797 # "domain:google.com", 798 # "serviceAccount:my-other-app@appspot.gserviceaccount.com" 799 # ] 800 # }, 801 # { 802 # "role": "roles/viewer", 803 # "members": ["user:sean@example.com"] 804 # } 805 # ] 806 # } 807 # 808 # **YAML Example** 809 # 810 # bindings: 811 # - members: 812 # - user:mike@example.com 813 # - group:admins@example.com 814 # - domain:google.com 815 # - serviceAccount:my-other-app@appspot.gserviceaccount.com 816 # role: roles/owner 817 # - members: 818 # - user:sean@example.com 819 # role: roles/viewer 820 # 821 # 822 # For a description of IAM and its features, see the 823 # [IAM developer's guide](https://cloud.google.com/iam/docs). 824 "bindings": [ # Associates a list of `members` to a `role`. 825 # `bindings` with no members will result in an error. 826 { # Associates `members` with a `role`. 827 "role": "A String", # Role that is assigned to `members`. 828 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 829 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. 830 # `members` can have the following values: 831 # 832 # * `allUsers`: A special identifier that represents anyone who is 833 # on the internet; with or without a Google account. 834 # 835 # * `allAuthenticatedUsers`: A special identifier that represents anyone 836 # who is authenticated with a Google account or a service account. 837 # 838 # * `user:{emailid}`: An email address that represents a specific Google 839 # account. For example, `alice@gmail.com` . 840 # 841 # 842 # * `serviceAccount:{emailid}`: An email address that represents a service 843 # account. For example, `my-other-app@appspot.gserviceaccount.com`. 844 # 845 # * `group:{emailid}`: An email address that represents a Google group. 846 # For example, `admins@example.com`. 847 # 848 # 849 # * `domain:{domain}`: The G Suite domain (primary) that represents all the 850 # users of that domain. For example, `google.com` or `example.com`. 851 # 852 "A String", 853 ], 854 "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. 855 # NOTE: An unsatisfied condition will not allow user access via current 856 # binding. Different bindings, including their conditions, are examined 857 # independently. 858 # 859 # title: "User account presence" 860 # description: "Determines whether the request has a user account" 861 # expression: "size(request.user) > 0" 862 "location": "A String", # An optional string indicating the location of the expression for error 863 # reporting, e.g. a file name and a position in the file. 864 "expression": "A String", # Textual representation of an expression in 865 # Common Expression Language syntax. 866 # 867 # The application context of the containing message determines which 868 # well-known feature set of CEL is supported. 869 "description": "A String", # An optional description of the expression. This is a longer text which 870 # describes the expression, e.g. when hovered over it in a UI. 871 "title": "A String", # An optional title for the expression, i.e. a short string describing 872 # its purpose. This can be used e.g. in UIs which allow to enter the 873 # expression. 874 }, 875 }, 876 ], 877 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help 878 # prevent simultaneous updates of a policy from overwriting each other. 879 # It is strongly suggested that systems make use of the `etag` in the 880 # read-modify-write cycle to perform policy updates in order to avoid race 881 # conditions: An `etag` is returned in the response to `getIamPolicy`, and 882 # systems are expected to put that etag in the request to `setIamPolicy` to 883 # ensure that their change will be applied to the same version of the policy. 884 # 885 # If no `etag` is provided in the call to `setIamPolicy`, then the existing 886 # policy is overwritten blindly. 887 "version": 42, # Deprecated. 888 }</pre> 889</div> 890 891<div class="method"> 892 <code class="details" id="testIamPermissions">testIamPermissions(resource, body, x__xgafv=None)</code> 893 <pre>Returns permissions that a caller has on the specified resource. 894If the resource does not exist, this will return an empty set of 895permissions, not a NOT_FOUND error. 896 897Note: This operation is designed to be used for building permission-aware 898UIs and command-line tools, not for authorization checking. This operation 899may "fail open" without warning. 900 901Args: 902 resource: string, REQUIRED: The resource for which the policy detail is being requested. 903See the operation documentation for the appropriate value for this field. (required) 904 body: object, The request body. (required) 905 The object takes the form of: 906 907{ # Request message for `TestIamPermissions` method. 908 "permissions": [ # The set of permissions to check for the `resource`. Permissions with 909 # wildcards (such as '*' or 'storage.*') are not allowed. For more 910 # information see 911 # [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions). 912 "A String", 913 ], 914 } 915 916 x__xgafv: string, V1 error format. 917 Allowed values 918 1 - v1 error format 919 2 - v2 error format 920 921Returns: 922 An object of the form: 923 924 { # Response message for `TestIamPermissions` method. 925 "permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is 926 # allowed. 927 "A String", 928 ], 929 }</pre> 930</div> 931 932<div class="method"> 933 <code class="details" id="update">update(name, body, x__xgafv=None)</code> 934 <pre>Updates an attestor. 935Returns NOT_FOUND if the attestor does not exist. 936 937Args: 938 name: string, Required. The resource name, in the format: 939`projects/*/attestors/*`. This field may not be updated. (required) 940 body: object, The request body. (required) 941 The object takes the form of: 942 943{ # An attestor that attests to container image 944 # artifacts. An existing attestor cannot be modified except where 945 # indicated. 946 "updateTime": "A String", # Output only. Time when the attestor was last updated. 947 "description": "A String", # Optional. A descriptive comment. This field may be updated. 948 # The field may be displayed in chooser dialogs. 949 "userOwnedDrydockNote": { # An user owned drydock note references a Drydock # A Drydock ATTESTATION_AUTHORITY Note, created by the user. 950 # ATTESTATION_AUTHORITY Note created by the user. 951 "delegationServiceAccountEmail": "A String", # Output only. This field will contain the service account email address 952 # that this Attestor will use as the principal when querying Container 953 # Analysis. Attestor administrators must grant this service account the 954 # IAM role needed to read attestations from the note_reference in 955 # Container Analysis (`containeranalysis.notes.occurrences.viewer`). 956 # 957 # This email address is fixed for the lifetime of the Attestor, but callers 958 # should not make any other assumptions about the service account email; 959 # future versions may use an email based on a different naming pattern. 960 "noteReference": "A String", # Required. The Drydock resource name of a ATTESTATION_AUTHORITY Note, 961 # created by the user, in the format: `projects/*/notes/*` (or the legacy 962 # `providers/*/notes/*`). This field may not be updated. 963 # 964 # An attestation by this attestor is stored as a Drydock 965 # ATTESTATION_AUTHORITY Occurrence that names a container image and that 966 # links to this Note. Drydock is an external dependency. 967 "publicKeys": [ # Optional. Public keys that verify attestations signed by this 968 # attestor. This field may be updated. 969 # 970 # If this field is non-empty, one of the specified public keys must 971 # verify that an attestation was signed by this attestor for the 972 # image specified in the admission request. 973 # 974 # If this field is empty, this attestor always returns that no 975 # valid attestations exist. 976 { # An attestor public key that will be used to verify 977 # attestations signed by this attestor. 978 "comment": "A String", # Optional. A descriptive comment. This field may be updated. 979 "asciiArmoredPgpPublicKey": "A String", # ASCII-armored representation of a PGP public key, as the entire output by 980 # the command `gpg --export --armor foo@example.com` (either LF or CRLF 981 # line endings). 982 # When using this field, `id` should be left blank. The BinAuthz API 983 # handlers will calculate the ID and fill it in automatically. BinAuthz 984 # computes this ID as the OpenPGP RFC4880 V4 fingerprint, represented as 985 # upper-case hex. If `id` is provided by the caller, it will be 986 # overwritten by the API-calculated ID. 987 "id": "A String", # The ID of this public key. 988 # Signatures verified by BinAuthz must include the ID of the public key that 989 # can be used to verify them, and that ID must match the contents of this 990 # field exactly. 991 # Additional restrictions on this field can be imposed based on which public 992 # key type is encapsulated. See the documentation on `public_key` cases below 993 # for details. 994 "pkixPublicKey": { # A public key in the PkixPublicKey format (see # A raw PKIX SubjectPublicKeyInfo format public key. 995 # 996 # NOTE: `id` may be explicitly provided by the caller when using this 997 # type of public key, but it MUST be a valid RFC3986 URI. If `id` is left 998 # blank, a default one will be computed based on the digest of the DER 999 # encoding of the public key. 1000 # https://tools.ietf.org/html/rfc5280#section-4.1.2.7 for details). 1001 # Public keys of this type are typically textually encoded using the PEM 1002 # format. 1003 "publicKeyPem": "A String", # A PEM-encoded public key, as described in 1004 # https://tools.ietf.org/html/rfc7468#section-13 1005 "signatureAlgorithm": "A String", # The signature algorithm used to verify a message against a signature using 1006 # this key. 1007 # These signature algorithm must match the structure and any object 1008 # identifiers encoded in `public_key_pem` (i.e. this algorithm must match 1009 # that of the public key). 1010 }, 1011 }, 1012 ], 1013 }, 1014 "name": "A String", # Required. The resource name, in the format: 1015 # `projects/*/attestors/*`. This field may not be updated. 1016} 1017 1018 x__xgafv: string, V1 error format. 1019 Allowed values 1020 1 - v1 error format 1021 2 - v2 error format 1022 1023Returns: 1024 An object of the form: 1025 1026 { # An attestor that attests to container image 1027 # artifacts. An existing attestor cannot be modified except where 1028 # indicated. 1029 "updateTime": "A String", # Output only. Time when the attestor was last updated. 1030 "description": "A String", # Optional. A descriptive comment. This field may be updated. 1031 # The field may be displayed in chooser dialogs. 1032 "userOwnedDrydockNote": { # An user owned drydock note references a Drydock # A Drydock ATTESTATION_AUTHORITY Note, created by the user. 1033 # ATTESTATION_AUTHORITY Note created by the user. 1034 "delegationServiceAccountEmail": "A String", # Output only. This field will contain the service account email address 1035 # that this Attestor will use as the principal when querying Container 1036 # Analysis. Attestor administrators must grant this service account the 1037 # IAM role needed to read attestations from the note_reference in 1038 # Container Analysis (`containeranalysis.notes.occurrences.viewer`). 1039 # 1040 # This email address is fixed for the lifetime of the Attestor, but callers 1041 # should not make any other assumptions about the service account email; 1042 # future versions may use an email based on a different naming pattern. 1043 "noteReference": "A String", # Required. The Drydock resource name of a ATTESTATION_AUTHORITY Note, 1044 # created by the user, in the format: `projects/*/notes/*` (or the legacy 1045 # `providers/*/notes/*`). This field may not be updated. 1046 # 1047 # An attestation by this attestor is stored as a Drydock 1048 # ATTESTATION_AUTHORITY Occurrence that names a container image and that 1049 # links to this Note. Drydock is an external dependency. 1050 "publicKeys": [ # Optional. Public keys that verify attestations signed by this 1051 # attestor. This field may be updated. 1052 # 1053 # If this field is non-empty, one of the specified public keys must 1054 # verify that an attestation was signed by this attestor for the 1055 # image specified in the admission request. 1056 # 1057 # If this field is empty, this attestor always returns that no 1058 # valid attestations exist. 1059 { # An attestor public key that will be used to verify 1060 # attestations signed by this attestor. 1061 "comment": "A String", # Optional. A descriptive comment. This field may be updated. 1062 "asciiArmoredPgpPublicKey": "A String", # ASCII-armored representation of a PGP public key, as the entire output by 1063 # the command `gpg --export --armor foo@example.com` (either LF or CRLF 1064 # line endings). 1065 # When using this field, `id` should be left blank. The BinAuthz API 1066 # handlers will calculate the ID and fill it in automatically. BinAuthz 1067 # computes this ID as the OpenPGP RFC4880 V4 fingerprint, represented as 1068 # upper-case hex. If `id` is provided by the caller, it will be 1069 # overwritten by the API-calculated ID. 1070 "id": "A String", # The ID of this public key. 1071 # Signatures verified by BinAuthz must include the ID of the public key that 1072 # can be used to verify them, and that ID must match the contents of this 1073 # field exactly. 1074 # Additional restrictions on this field can be imposed based on which public 1075 # key type is encapsulated. See the documentation on `public_key` cases below 1076 # for details. 1077 "pkixPublicKey": { # A public key in the PkixPublicKey format (see # A raw PKIX SubjectPublicKeyInfo format public key. 1078 # 1079 # NOTE: `id` may be explicitly provided by the caller when using this 1080 # type of public key, but it MUST be a valid RFC3986 URI. If `id` is left 1081 # blank, a default one will be computed based on the digest of the DER 1082 # encoding of the public key. 1083 # https://tools.ietf.org/html/rfc5280#section-4.1.2.7 for details). 1084 # Public keys of this type are typically textually encoded using the PEM 1085 # format. 1086 "publicKeyPem": "A String", # A PEM-encoded public key, as described in 1087 # https://tools.ietf.org/html/rfc7468#section-13 1088 "signatureAlgorithm": "A String", # The signature algorithm used to verify a message against a signature using 1089 # this key. 1090 # These signature algorithm must match the structure and any object 1091 # identifiers encoded in `public_key_pem` (i.e. this algorithm must match 1092 # that of the public key). 1093 }, 1094 }, 1095 ], 1096 }, 1097 "name": "A String", # Required. The resource name, in the format: 1098 # `projects/*/attestors/*`. This field may not be updated. 1099 }</pre> 1100</div> 1101 1102</body></html>