Google Cloud Attestation
Stay organized with collections
Save and categorize content based on your preferences.
Attestation is the process that establishes trust in
Confidential Computing.
Attestation acts as a digital verification mechanism, ensuring that confidential
data is only processed within hardware-based Trusted Execution Environments
(TEEs) that have been rigorously vetted.
Google Cloud Attestation provides a unified solution for remotely verifying the
trustworthiness of all Google confidential environments. The service supports
attestation of confidential environments backed by a Virtual Trusted Platform
Module (vTPM) for SEV and the TDX Module for Intel TDX.
Google Cloud Attestation can be applied across the following Google Cloud
services:
While Google Cloud Attestation is convenient, open-source tools can also
obtain attestation reports directly for Confidential VM instances.
For more details, see Request an attestation report.
How Google Cloud Attestation works
Google Cloud Attestation internally gathers endorsements directly from
hardware vendors and upholds its own set of reference values and appraisal
policies specifically tailored for each confidential environment. It provides
APIs for Google Cloud users to fetch attestation result claims tokens.
Google Cloud Attestation collects information from your confidential
environment and checks it against approved values and Google-maintained
policies. These checks are converted into verifiable claims that adhere to the
IETF Remote ATtestation ProcedureS (RATS) Entity Attestation Token (EAT)
standard. Then, Google Cloud Attestation provides cryptographic proofs of
these claims that can be used by services relying on such claims, such as
Secret Manager and Google
Identity and Access Management (IAM).
The cryptographic proofs can be validated in the following ways:
Using a public key. For more information, see
OIDC tokens.
This is the simpler option and works natively with OIDC compatible applications.
Using a root certificate. For more information, see
PKI tokens.
This option allows offline verification, without the need for each relying
party to discover the verification key. For an end-to-end example of offline
validation, see the
Use Confidential Space with protected resources that aren't stored with a cloud provider codelab.
RATS architecture overview
The Remote ATtestation ProcedureS (RATS) architecture involves the following
primary entities:
Attester: An entity providing evidence of its trustworthiness. In
Google Cloud, this is a confidential environment (for example, Confidential VM,
Confidential GKE Nodes, or Confidential Space).
Verifier: An entity evaluating the evidence and generating attestation
results. This is Google Cloud Attestation.
Relying party: An entity relying on the attestation results to make decisions
(for example, a mobile app, storage bucket, or key management system).
The RATS architecture encompasses the following key roles:
Relying party owner: An entity configuring the appraisal policy for the
relying party.
Verifier owner: An entity configuring the appraisal policy for the verifier
(for example, Google).
Endorser: An entity providing endorsements validating the attester's
capabilities (for example, hardware OEMs like AMD, Intel, or Nvidia).
Reference value provider: An entity providing reference values for the
verifier to validate the attester's claims.
Passport model attestation workflow
Google Cloud Attestation uses the passport model. The high-level workflow of
the passport model involves the following steps:
The attester (confidential environment) requests an attestation result
from the verifier (Google Cloud Attestation) by providing evidence.
The verifier evaluates the evidence and issues an attestation result.
The attester presents this result to the relying party.
In this workflow, Google Cloud Attestation acts as the verifier. Confidential
environments such as (Confidential VM, Confidential GKE Nodes, or
Confidential Space) act as the attester. Relying parties include Thales EKM, Google
IAM, and other token brokers.
To ensure the freshness of attestation results, Google Cloud Attestation
uses a cryptographic number that can't be reused. The attester can provide a
random number, which is agreed upon with the relying party, to the verifier.
The relying party can then validate this number to ensure freshness and
correctness.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-25 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eAttestation is a digital verification process that establishes trust by ensuring confidential data is processed only within vetted, hardware-based Trusted Execution Environments (TEEs).\u003c/p\u003e\n"],["\u003cp\u003eGoogle Cloud Attestation provides a unified solution for remotely verifying the trustworthiness of Google confidential environments, supporting technologies like AMD SEV, SEV-SNP, and Intel TDX across services such as Confidential VM, Confidential Space, and Confidential GKE Nodes.\u003c/p\u003e\n"],["\u003cp\u003eGoogle Cloud Attestation collects data from confidential environments, compares it against approved values and policies, and generates verifiable claims that conform to the IETF RATS EAT standard.\u003c/p\u003e\n"],["\u003cp\u003eThe Remote ATtestation ProcedureS (RATS) architecture involves an Attester (confidential environment), a Verifier (Google Cloud Attestation), and a Relying Party (e.g., mobile app, key management system).\u003c/p\u003e\n"],["\u003cp\u003eGoogle Cloud Attestation follows a passport model, where the attester requests an attestation result from the verifier, which is then presented to the relying party, ensuring data security and trust.\u003c/p\u003e\n"]]],[],null,["# Google Cloud Attestation\n\nAttestation is the process that establishes trust in\n[Confidential Computing](/confidential-computing/docs/confidential-computing-overview).\nAttestation acts as a digital verification mechanism, ensuring that confidential\ndata is only processed within hardware-based Trusted Execution Environments\n(TEEs) that have been rigorously vetted.\n\nGoogle Cloud Attestation provides a unified solution for remotely verifying the\ntrustworthiness of all Google confidential environments. The service supports\nattestation of confidential environments backed by a Virtual Trusted Platform\nModule (vTPM) for SEV and the TDX Module for Intel TDX.\n\nGoogle Cloud Attestation can be applied across the following Google Cloud\nservices:\n\nWhile Google Cloud Attestation is convenient, open-source tools can also\nobtain attestation reports directly for Confidential VM instances.\nFor more details, see [Request an attestation report](/confidential-computing/confidential-vm/docs/attestation#request_an_attestation_report).\n\nHow Google Cloud Attestation works\n----------------------------------\n\nGoogle Cloud Attestation internally gathers endorsements directly from\nhardware vendors and upholds its own set of reference values and appraisal\npolicies specifically tailored for each confidential environment. It provides\nAPIs for Google Cloud users to fetch attestation result claims tokens.\n\nGoogle Cloud Attestation collects information from your confidential\nenvironment and checks it against approved values and Google-maintained\npolicies. These checks are converted into verifiable claims that adhere to the\n[IETF Remote ATtestation ProcedureS (RATS) Entity Attestation Token (EAT)](https://datatracker.ietf.org/doc/draft-ietf-rats-eat/)\nstandard. Then, Google Cloud Attestation provides cryptographic proofs of\nthese claims that can be used by services relying on such claims, such as\nSecret Manager and Google\n[Identity and Access Management (IAM)](/security/products/iam).\n\nThe cryptographic proofs can be validated in the following ways:\n\n1. Using a public key. For more information, see\n [OIDC tokens](/confidential-computing/confidential-space/docs/reference/token-validation-endpoint-fields#oidc).\n This is the simpler option and works natively with OIDC compatible applications.\n\n2. Using a root certificate. For more information, see\n [PKI tokens](/confidential-computing/confidential-space/docs/reference/token-validation-endpoint-fields#pki).\n This option allows offline verification, without the need for each relying\n party to discover the verification key. For an end-to-end example of offline\n validation, see the\n [Use Confidential Space with protected resources that aren't stored with a cloud provider](https://codelabs.developers.google.com/confidential-space-pki#0) codelab.\n\nRATS architecture overview\n--------------------------\n\nThe Remote ATtestation ProcedureS (RATS) architecture involves the following\nprimary entities:\n\n- Attester: An entity providing evidence of its trustworthiness. In\n Google Cloud, this is a confidential environment (for example, Confidential VM,\n Confidential GKE Nodes, or Confidential Space).\n\n- Verifier: An entity evaluating the evidence and generating attestation\n results. This is Google Cloud Attestation.\n\n- Relying party: An entity relying on the attestation results to make decisions\n (for example, a mobile app, storage bucket, or key management system).\n\nThe RATS architecture encompasses the following key roles:\n\n- Relying party owner: An entity configuring the appraisal policy for the\n relying party.\n\n- Verifier owner: An entity configuring the appraisal policy for the verifier\n (for example, Google).\n\n- Endorser: An entity providing endorsements validating the attester's\n capabilities (for example, hardware OEMs like AMD, Intel, or Nvidia).\n\n- Reference value provider: An entity providing reference values for the\n verifier to validate the attester's claims.\n\nPassport model attestation workflow\n-----------------------------------\n\nGoogle Cloud Attestation uses the *passport model*. The high-level workflow of\nthe passport model involves the following steps:\n\n1. The attester (confidential environment) requests an attestation result\n from the verifier (Google Cloud Attestation) by providing evidence.\n\n2. The verifier evaluates the evidence and issues an attestation result.\n\n3. The attester presents this result to the relying party.\n\nIn this workflow, Google Cloud Attestation acts as the verifier. Confidential\nenvironments such as (Confidential VM, Confidential GKE Nodes, or\nConfidential Space) act as the attester. Relying parties include Thales EKM, Google\nIAM, and other token brokers.\n\nTo ensure the freshness of attestation results, Google Cloud Attestation\nuses a cryptographic number that can't be reused. The attester can provide a\nrandom number, which is agreed upon with the relying party, to the verifier.\nThe relying party can then validate this number to ensure freshness and\ncorrectness."]]
