Method: instances.getShieldedInstanceIdentity

Returns the Shielded Instance Identity of an instance

HTTP request

GET https://compute.googleapis.com/compute/v1/projects/{project}/zones/{zone}/instances/{instance}/getShieldedInstanceIdentity

The URL uses gRPC Transcoding syntax.

Path parameters

Parameters
project

string

Project ID for this request.

zone

string

The name of the zone for this request.

instance

string

Name or id of the instance scoping this request.

Request body

The request body must be empty.

Response body

A Shielded Instance Identity.

If successful, the response body contains data with the following structure:

JSON representation
{
  "kind": string,
  "signingKey": {
    "ekCert": string,
    "ekPub": string
  },
  "encryptionKey": {
    "ekCert": string,
    "ekPub": string
  }
}
Fields
kind

string

[Output Only] Type of the resource. Always compute#shieldedInstanceIdentity for shielded Instance identity entry.

signingKey

object

An Attestation Key (AK) made by the RSA 2048 algorithm issued to the Shielded Instance's vTPM.

signingKey.ekCert

string

A PEM-encoded X.509 certificate. This field can be empty.

signingKey.ekPub

string

A PEM-encoded public key.

encryptionKey

object

An Endorsement Key (EK) made by the RSA 2048 algorithm issued to the Shielded Instance's vTPM.

encryptionKey.ekCert

string

A PEM-encoded X.509 certificate. This field can be empty.

encryptionKey.ekPub

string

A PEM-encoded public key.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/compute.readonly
  • https://www.googleapis.com/auth/compute
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

IAM Permissions

In addition to any permissions specified on the fields above, authorization requires one or more of the following IAM permissions:

  • compute.instances.getShieldedInstanceIdentity

To find predefined roles that contain those permissions, see Compute Engine IAM Roles.