Stay organized with collections
Save and categorize content based on your preferences.
This page describes how to store metadata related to an artifact stored in
Artifact Registry as an attachment.
Metadata stored in attachments can include information about artifact
vulnerabilities, build provenance, package contents, certification,
vulnerability assessment, Software Bill of Materials (SBOM) and more.
Information stored in Artifact Registry attachments can be used by
policy systems and inspected by users to ensure compliance.
For Docker repositories, attachments must be OCI artifacts. For all
formats other than Docker, attachments can be any file type.
You can use the gcloud CLI or Oras to create attachments
in Docker-format repositories.
To create an attachment, complete the following steps:
gcloud (all formats)
Before using any of the command data below,
make the following replacements:
ATTACHMENT: the fully qualified name
of the attachment, such as
projects/my-project/locations/us-west1/repositories/my-repo/attachments/my-attachment.
Alternatively, provide only the attachment ID and use the --location and
--repository flags.
TARGET: the fully qualified version name.
For Docker images only, you can also use the Artifact Registry URI of the artifact the
attachment refers to. In the URI, you can use the digest or, for Docker images, the tagโfor example,
us-west1-docker.pkg.dev/my-project/my-repo/my-image:tag1.
The following example creates an attachment consisting of a file,
hello-world.txt, that refers to a container image, my-image, identified by
its URI and tag:
Docker repository attachments, including build provenance,
are deleted when artifacts they're attached to are deleted. If you use
cleanup policies to delete images
from your repository, then by default, the attachments on those images will
be deleted as well.
To ensure that attachments you want to keep aren't accidentally
deleted by a cleanup policy, you can assign a tag to an image
that has attachments you want to keep. Then, you can configure a cleanup
policy to retain images with those tags. For example, you could assign a
production-signed tag to images with attached build provenance.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Store artifact metadata in attachments\n\n| **Preview**\n|\n|\n| This product or feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA products and features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nThis page describes how to store metadata related to an artifact stored in\nArtifact Registry as an *attachment*.\n\nMetadata stored in attachments can include information about artifact\nvulnerabilities, build provenance, package contents, certification,\nvulnerability assessment, Software Bill of Materials (SBOM) and more.\nInformation stored in Artifact Registry attachments can be used by\npolicy systems and inspected by users to ensure compliance.\n\nFor more information about working with attachments, see\n[Manage metadata with attachments](/artifact-registry/docs/manage-metadata-with-attachments).\n\nBefore you begin\n----------------\n\n1. If you don't already have one, [create a standard-mode repository](/artifact-registry/docs/repositories/create-repos).\n2. (Optional) [Configure defaults for Google Cloud CLI commands](/artifact-registry/docs/repositories/gcloud-defaults).\n\n### Required roles\n\n\nTo get the permissions that\nyou need to create attachments,\n\nask your administrator to grant you the\n\n\n[Artifact Registry Writer](/iam/docs/roles-permissions/artifactregistry#artifactregistry.writer) (`roles/artifactregistry.writer`)\nIAM role on the repository.\n\n\nFor more information about granting roles, see [Manage access to projects, folders, and organizations](/iam/docs/granting-changing-revoking-access).\n\n\nYou might also be able to get\nthe required permissions through [custom\nroles](/iam/docs/creating-custom-roles) or other [predefined\nroles](/iam/docs/roles-overview#predefined).\n\nCreate an attachment\n--------------------\n\nFor Docker repositories, attachments must be [OCI artifacts](https://github.com/opencontainers/image-spec/blob/main/manifest.md#guidelines-for-artifact-usage). For all\nformats other than Docker, attachments can be any file type.\n\nYou can use the gcloud CLI or Oras to create attachments\nin Docker-format repositories.\n\nTo create an attachment, complete the following steps: \n\n### gcloud (all formats)\n\n\nBefore using any of the command data below,\nmake the following replacements:\n\n- \u003cvar class=\"edit\" scope=\"ATTACHMENT\" translate=\"no\"\u003eATTACHMENT\u003c/var\u003e: the fully qualified name of the attachment, such as `projects/my-project/locations/us-west1/repositories/my-repo/attachments/my-attachment`. Alternatively, provide only the attachment ID and use the `--location` and `--repository` flags.\n- \u003cvar class=\"edit\" scope=\"TARGET\" translate=\"no\"\u003eTARGET\u003c/var\u003e: the fully qualified version name. For Docker images only, you can also use the Artifact Registry URI of the artifact the attachment refers to. In the URI, you can use the digest or, for Docker images, the tag---for example, `us-west1-docker.pkg.dev/my-project/my-repo/my-image:tag1`.\n- \u003cvar class=\"edit\" scope=\"TYPE\" translate=\"no\"\u003eTYPE\u003c/var\u003e: the attachment's `type` attribute. For Docker images, the `type` must comply with [OCI specifications for the `artifactType` property](https://github.com/opencontainers/image-spec/blob/main/manifest.md#image-manifest-property-descriptions).\n- \u003cvar class=\"edit\" scope=\"ATTACHMENT_NAMESPACE\" translate=\"no\"\u003eATTACHMENT_NAMESPACE\u003c/var\u003e: a variable specific to attachments that identifies the attachment data source, such as `example.com`.\n- \u003cvar class=\"edit\" scope=\"FILES\" translate=\"no\"\u003eFILES\u003c/var\u003e: a comma-separated list of local files to include in the attachment.\n - Execute the following command:\n\n #### Linux, macOS, or Cloud Shell\n\n **Note:** Ensure you have initialized the Google Cloud CLI with authentication and a project by running either [gcloud init](/sdk/gcloud/reference/init); or [gcloud auth login](/sdk/gcloud/reference/auth/login) and [gcloud config set project](/sdk/gcloud/reference/config/set). \n\n ```bash\n gcloud artifacts attachments create ATTACHMENT \\\n --target=TARGET \\\n --attachment-type=TYPE \\\n --attachment-namespace=ATTACHMENT_NAMESPACE \\\n --files=FILES\n ```\n\n #### Windows (PowerShell)\n\n **Note:** Ensure you have initialized the Google Cloud CLI with authentication and a project by running either [gcloud init](/sdk/gcloud/reference/init); or [gcloud auth login](/sdk/gcloud/reference/auth/login) and [gcloud config set project](/sdk/gcloud/reference/config/set). \n\n ```bash\n gcloud artifacts attachments create ATTACHMENT `\n --target=TARGET `\n --attachment-type=TYPE `\n --attachment-namespace=ATTACHMENT_NAMESPACE `\n --files=FILES\n ```\n\n #### Windows (cmd.exe)\n\n **Note:** Ensure you have initialized the Google Cloud CLI with authentication and a project by running either [gcloud init](/sdk/gcloud/reference/init); or [gcloud auth login](/sdk/gcloud/reference/auth/login) and [gcloud config set project](/sdk/gcloud/reference/config/set). \n\n ```bash\n gcloud artifacts attachments create ATTACHMENT ^\n --target=TARGET ^\n --attachment-type=TYPE ^\n --attachment-namespace=ATTACHMENT_NAMESPACE ^\n --files=FILES\n ```\nFor more information, see the [`gcloud artifacts attachments create`](/sdk/gcloud/reference/artifacts/attachments/create) command.\n\n### Oras (Docker only)\n\nWhen creating an attachment with Oras, Artifact Registry generates a\nrandom UUID to use as the attachment name.\n\nBefore using Oras, complete the following steps:\n\n1. [Install Oras 1.2 or later](https://oras.land/docs/installation/). To\n verify your version, run the `oras version` command.\n\n2. Configure Oras to\n [authenticate](https://oras.land/docs/how_to_guides/authentication/)\n with Artifact Registry.\n\nBefore running the command, make the following replacements:\n\n- \u003cvar class=\"edit\" scope=\"ARTIFACT_TYPE\" translate=\"no\"\u003eARTIFACT_TYPE\u003c/var\u003e: the\n [`artifactType`](https://github.com/opencontainers/image-spec/blob/main/manifest.md#image-manifest-property-descriptions) of the attachment.\n\n- \u003cvar class=\"edit\" scope=\"IMAGE_URI\" translate=\"no\"\u003eIMAGE_URI\u003c/var\u003e: the URI\n for the image container the attachment refers to.\n\n- \u003cvar class=\"edit\" scope=\"FILE\" translate=\"no\"\u003eFILE\u003c/var\u003e: a local file to\n include as metadata in the attachment.\n\n- \u003cvar class=\"edit\" scope=\"MEDIA_TYPE\" translate=\"no\"\u003eMEDIA_TYPE\u003c/var\u003e: the\n [`mediaType`](https://github.com/opencontainers/image-spec/blob/main/media-types.md) of the layer.\n\n oras attach --artifact-type \u003cvar translate=\"no\"\u003eARTIFACT_TYPE\u003c/var\u003e \u003cvar translate=\"no\"\u003eIMAGE_URI\u003c/var\u003e \u003cvar translate=\"no\"\u003eFILE\u003c/var\u003e:\u003cvar translate=\"no\"\u003eMEDIA_TYPE\u003c/var\u003e\n\nThe following example creates an attachment consisting of a file,\n`hello-world.txt`, that refers to a container image, `my-image`, identified by\nits URI and tag: \n\n oras attach --artifact-type doc/example \\\n us-west1-docker.pkg.dev/my-project/my-repo/my-image:tag1 \\\n hello-world.txt:application/vnd.me.hi\n\nWhere:\n\n- `doc/example` defines the `artifactType` property of the attachment.\n\n- `us-west1-docker.pkg.dev/my-project/my-repo/my-image:tag1`\n is the URI including the tag of the container image version the attachment\n will refer to.\n\n- `hello-world.txt` is the local file that the attachment will hold as its data.\n\n- `application/vnd.me.hi` defines the `mediaType` of the\n layer.\n\nFor a full guide and more examples, see the [`oras attach` documentation](https://oras.land/docs/commands/oras_attach/).\n\nManage attachments with cleanup policies\n----------------------------------------\n\nDocker repository attachments, including build provenance,\nare deleted when artifacts they're attached to are deleted. If you use\n[cleanup policies](/artifact-registry/docs/repositories/cleanup-policy-overview) to delete images\nfrom your repository, then by default, the attachments on those images will\nbe deleted as well.\n\nTo ensure that attachments you want to keep aren't accidentally\ndeleted by a cleanup policy, you can assign a [tag](/artifact-registry/docs/repositories/tag-repos) to an image\nthat has attachments you want to keep. Then, you can configure a cleanup\npolicy to retain images with those tags. For example, you could assign a\n`production-signed` tag to images with attached build provenance.\n\nwhat's next\n-----------\n\n- [Manage artifact metadata](/artifact-registry/docs/manage-metadata-with-attachments).\n- Learn how to [generate and store SBOMs](/artifact-analysis/docs/generate-store-sboms) for container images."]]
