Send feedback
Attestation assertions
Stay organized with collections
Save and categorize content based on your preferences.
To learn more about using attestation assertions, see
Create an attestation policy .
The available assertions to construct an attestation policy are detailed in the
following table. Policies can validate assertions made by the Confidential Space
image, the workload container, and the VM instance.
Image assertions
Assertion
Type
Description
assertion.dbgstat
Interacts with:
Defined string
Verifies that the Confidential Space image is the debug or
production version.
The valid values are:
enable: Check that the debug image is being used.
disabled-since-boot: Check that the production
image is being used.
Examples
The following code verifies that the debug version of the
Confidential Space image is being used:
assertion.dbgstat == "enable"The following code verifies that the production version of the
Confidential Space image is being used:
assertion.dbgstat == "disabled-since-boot"
assertion.submods.confidential_space.support_attributesString array
Verifies the security version of the TEE is a production
Confidential Space image. Debug Confidential Space images have no
support attribute set.
There are three support attributes:
LATEST: This is the latest version of the image,
and is supported. The LATEST image is also
STABLE and USABLE.
STABLE: This version of the image is supported
and monitored for vulnerabilities. A STABLE image
is also USABLE.
USABLE: An image with only this attribute is out
of support and no longer monitored for vulnerabilities. Use at
your own risk.
EXPERIMENTAL: An image with only this attribute
makes use of preview features. It is for testing purposes
only, and should never be used in production. An
EXPERIMENTAL image never has the attributes
LATEST, STABLE, or
USABLE.
Caution : Because the Confidential Space default token is
refreshed hourly, specifying LATEST isn't
recommended for long-running workloads. The Confidential Space
image might be updated while your workload is running, meaning
the workload is no longer on the latest version and fails
attestation as a result.
Example
The following code verifies that a stable version of the
Confidential Space image is being used:
"STABLE" in assertion.submods.confidential_space.support_attributes
assertion.swnameDefined string
Verifies the software running on the attesting entity. The
value is always CONFIDENTIAL_SPACE.
Example
assertion.swname == "CONFIDENTIAL_SPACE"
assertion.swversionString array
Verifies the software version of the Confidential Space image. We
recommend using
assertion.submods.confidential_space.support_attributes
instead to target the latest version of an image.
Example
int(assertion.swversion[0]) == 230103
Container assertions
Assertion
Type
Description
assertion.submods.container.cmd_override
Interacts with:
String array
Verifies the
CMD commands and parameters used in the workload image.
Examples
The following code verifies the CMD of the workload image
hasn't been overwritten:
size(assertion.submods.container.cmd_override) == 0The following code verifies that program is the
only content in the CMD overrides:
assertion.submods.container.cmd_override == ['program']
assertion.submods.container.env
Interacts with:
JSON object
Verifies that environment variables and their values have been
explicitly passed to the container.
Example
The following code verifies that the environment variable
example-env-1 is set to value-1, and
example-env-2 is set to value-2.
assertion.submods.container.env == {"example-env-1": "value-1", "example-env-2": "value-2"}
assertion.submods.container.env_override
Interacts with:
String
Verifies if the workload operator has overwritten environment
variables in the container.
Examples
The following code verifies that the workload operator has not
overridden the example environment variable:
!has(assertion.submods.container.env_override.example)The following code verifies that the workload operator hasn't
overwritten any environment variables:
size(assertion.submods.container.env_override) == 0
assertion.submods.container.image_digestString
Verifies the image digest of the workload container. Specifying
this condition lets multiple parties agree on an authorized
workload that is allowed to access their data.
Example
assertion.submods.container.image_digest == "sha256:837ccb607e312b170fac7383d7ccfd61fa5072793f19a25e75fbacb56539b86b"
assertion.submods.container.image_idString
Verifies the image ID of the workload container.
Example
assertion.submods.container.image_id == "sha256:652a44b0e911271ba07cf2915cd700fdfa50abd62a98f87a57fdebc59843d93f"
assertion.submods.container.image_reference
Interacts with:
String
Verifies the location of the workload container running on top
of the Confidential Space image.
Example
assertion.submods.container.image_reference == "us-docker.pkg.dev/PROJECT_ID/WORKLOAD_CONTAINER:latest"
assertion.submods.container.image_signatures
Interacts with:
JSON object
Verifies that the image has a certain signature or is signed by
a public key and signing algorithm. Specifying this condition lets
multiple parties agree on an authorized workload that is allowed
to access their data.
The assertion can include the following elements:
key_id: The hexadecimal fingerprint of the
public key. To get the fingerprint, you can run the following
command:
openssl pkey -pubin -in public_key.pem -outform DER | openssl sha256Where public_key.pem is your public key in PEM
format.
signature: The signature over a payload that's
associated with the signed container and that follows the
Simple Signing format .
signature_algorithm: The algorithm used to
sign the key. One of the following:
RSASSA_PSS_SHA256 (RSASSA-PSS with a
SHA-256 digest)RSASSA_PKCS1V15_SHA256 (RSASSA-PKCS1 v1_5
with a SHA-256 digest)ECDSA_P256_SHA256 (ECDSA on the P-256 Curve
with a SHA-256 digest)
Example
assertion.swname == 'CONFIDENTIAL_SPACE' && ['ECDSA_P256_SHA256:PUBLIC_KEY_FINGERPRINT '].exists(fingerprint, fingerprint in assertion.submods.container.image_signatures.map(sig, sig.signature_algorithm+':'+sig.key_id)) && 'serviceaccount.iam.gserviceaccount.com' in assertion.google_service_accounts"
assertion.submods.container.restart_policy
Interacts with:
Defined string
Verifies the restart policy of the container launcher for when
the workload stops.
The valid values are:
Never (default)AlwaysOnFailure
Example
assertion.submods.container.restart_policy == "Never"
VM assertions
Assertion
Type
Description
assertion.google_service_accounts
Interacts with:
String array
Verifies that a specified service account is connected to the
VM running the workload, or has been listed using
tee-impersonate-service-accounts
in the VM metadata.
Example
workload-service-account@my-project.iam.gserviceaccount.com in assertion.google_service_accounts
assertion.hwmodelString
Verifies the underlying Confidential Computing technology. The
supported platforms are as follows:
Example
assertion.hwmodel == "GCP_AMD_SEV"
assertion.submods.confidential_space.monitoring_enabled
Interacts with:
Boolean
Verifies the monitoring state on the attesting entity.
Example
assertion.submods.confidential_space.monitoring_enabled.memory == true
assertion.submods.gce.instance_idString
Verifies the VM instance ID.
Example
assertion.submods.gce.instance_id == "0000000000000000000"
assertion.submods.gce.instance_nameString
Verifies the name of the VM instance.
Example
assertion.submods.gce.instance_name == "workload-vm"
assertion.submods.gce.project_idString
Verifies that the VM is running a Google Cloud project with the
specified project ID.
Example
assertion.submods.gce.project_id == "project-id"
assertion.submods.gce.project_numberString
Verifies that the VM is running in a Google Cloud project with
the specified project number.
Example
assertion.submods.gce.project_number == "00000000000"
assertion.submods.gce.zone
Interacts with:
Workload operator : The
--zone
value.
String
Verifies that the VM is running in the specified zone.
Example
assertion.submods.gce.zone == "us-central1-a"
assertion.submods.nvidia_gpu.cc_mode
Interacts with:
Defined string
Verifies the status of NVIDIA's Confidential Computing driver.
The valid values are:
OFF: none of the NVIDIA Confidential Computing features are
active.
ON: the NVIDIA H100 hardware, firmware, and
software have fully activated the confidential computing
features.
DEVTOOLS: the GPU is in a partial confidential
computing mode that matches the workflows of ON
mode, but disables security protections.
Example
assertion.submods.nvidia_gpu.cc_mode == "ON"
Send feedback
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License , and code samples are licensed under the Apache 2.0 License . For details, see the Google Developers Site Policies . Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-09 UTC.
Need to tell us more?
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-09 UTC."],[[["\u003cp\u003eAttestation policies can validate assertions made by the Confidential Space image, the workload container, and the VM, using a variety of assertions.\u003c/p\u003e\n"],["\u003cp\u003eImage assertions, such as \u003ccode\u003eassertion.dbgstat\u003c/code\u003e and \u003ccode\u003eassertion.submods.confidential_space.support_attributes\u003c/code\u003e, verify the software version and security attributes of the Confidential Space image.\u003c/p\u003e\n"],["\u003cp\u003eContainer assertions, such as \u003ccode\u003eassertion.submods.container.cmd_override\u003c/code\u003e and \u003ccode\u003eassertion.submods.container.env\u003c/code\u003e, verify the configuration and integrity of the workload container, including environment variables and command overrides.\u003c/p\u003e\n"],["\u003cp\u003eVM assertions, including \u003ccode\u003eassertion.google_service_accounts\u003c/code\u003e and \u003ccode\u003eassertion.hwmodel\u003c/code\u003e, verify details about the virtual machine environment, such as service accounts, hardware model, and project information.\u003c/p\u003e\n"],["\u003cp\u003eThe table provided lists a multitude of assertions that can be used to create and enforce an attestation policy, with each assertion's type and a specific description.\u003c/p\u003e\n"]]],[],null,[]]
