Attestation token claims


The following table describes the top-level supported claims in the attestation token. These items are compliant with the OpenID Connect 1.0 specification.

Read more about attestation tokens

Key Type Description
Header
x5c String Only present in PKI tokens. The certificate chain to validate PKI tokens against. You can download the root certificate from the PKI token validation endpoint.
JSON data payload
attester_tcb String array

One or more TCB (trusted computing base) components. This claim is to specify the source of attestation evidence.

For the hwmodel claim "GCP_INTEL_TDX" on Confidential Space, the value is set to ["INTEL"], indicating that the attestation root of trust originates from Intel-specific hardware technology.

aud String

The audience. For the default token used with a workload identity pool, the audience is https://sts.googleapis.com. This token is fetched every hour by the launcher in the Confidential VM instance.

For tokens with custom audiences, the audience is echoed from the audience in the token request. The maximum length is 512 bytes.

dbgstat String The debug status for the hardware. In production images, the value is disabled-since-boot. In debug images, the value is enabled.
eat_nonce String or string array One or more nonces for the attestation token. The values are echoed from the token options sent in the custom token request. Each nonce must be between 10 to 74 bytes inclusive. A maximum of six nonces are allowed.
exp Int, Unix timestamp The expiration time on or after which the token must not be accepted for processing. The value is a JSON number that represents the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the expiry time.
google_service_accounts String array The validated service accounts that are running the Confidential Space workload.
hwmodel String

The unique identifier for the hardware token. Here are the valid values:

  • GCP_AMD_SEV
  • GCP_AMD_SEV_ES
  • GCP_SHIELDED_VM
  • GCP_INTEL_TDX (Preview)
iat Int, Unix timestamp The time when the JWT was issued. The value is a JSON number that represents the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the issue time.
iss String The issuer of the token, which is set to https://confidentialcomputing.googleapis.com.
nbf Int, Unix timestamp The time before which the JWT cannot be used for processing.
oemid Uint64 The Google Private Enterprise Number (PEN), which is 11129.
secboot Boolean Whether Secure Boot is enabled, which ensures that the firmware and operating system were authenticated during the VM boot process. This value is always true.
sub String The subject, which is the fully qualified virtual machine ID for the Confidential VM. For example, https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID. This format is known as the instance's selfLink.
submods Array An array of various claims. See Submods claims.
swname String

The name of the approved operating system for the VM.

Values are CONFIDENTIAL_SPACE or GCE. The CONFIDENTIAL_SPACE value is only for hardened images that passed all validation.

swversion String array

The version of the operating system. The value is a string array that contains only one value.

The version follows the format YYYYMM##, where ## is a counter for the number of images released before the image being used in the same month.

Submods claims

The following table describes the submods claims in the attestation token.

Key Type Description
confidential_space.support_attributes String array The value can contain USABLE, STABLE, and LATEST. For more information, see Confidential Space image lifecycle.
confidential_space.monitoring_enabled Object array Shows what kind of system monitoring is enabled. The value can be {"memory":false} or {"memory":true}.
container Object See Workload container claims.
gce Object See Compute Engine claims.

Workload container claims

The following table describes the container claims in the attestation token. For more information about these claims, see Attestation assertions.

Key Type Description
args String array The full argv the container is invoked with. This claim includes the container's entrypoint path and any additional command-line arguments.
cmd_override String array The CMD commands and parameters used in the workload image.
env Object array The environment variables and their values that have been explicitly passed to the container.
env_override Object array The overwritten environment variables in the container.
image_digest String The image digest of the workload container.
image_id String The image ID of the workload container.
image_reference String The location of the workload container running in Confidential Space.
image_signatures Object array See Container image signature claims.
restart_policy String The restart policy of the container launcher when the workload stops. Valid values are Always, OnFailure, and Never. Default is Never.

Compute Engine claims

The following table describes the gce claims in the attestation token.

Key Type Description
instance_id String The VM instance ID.
instance_name String The VM instance name.
project_id String The project ID for the project that the VM is running in.
project_number String The project number for the project that the VM is running in.
zone String The Compute Engine zone where the Confidential VM is running.

Container image signature claims

The following table describes the image_signature claims in the attestation token.

Key Type Description
key_id String

The hexadecimal fingerprint of the public key. To get the fingerprint, you can run the following command:

openssl pkey -pubin -in public_key.pem -outform DER | openssl sha256

Where public_key.pem is your public key in PEM format.

signature String The base64-encoded signature for a payload that's associated with the signed container and that follows the Simple Signing format.
signature_algorithm String

The algorithm used to sign the key. One of the following:

  • RSASSA_PSS_SHA256 (RSASSA-PSS with a SHA-256 digest)
  • RSASSA_PKCS1V15_SHA256 (RSASSA-PKCS1 v1_5 with a SHA-256 digest)
  • ECDSA_P256_SHA256 (ECDSA on the P-256 Curve with a SHA-256 digest)

What's next