This guide shows you how to set up Binary Authorization to enforce policy-based deployment of Cloud Run services.
Before you begin
Set up Cloud Run and enable APIs, by doing the following:
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.
-
Enable the Cloud Run, Artifact Registry, Binary Authorization APIs.
- Install and initialize the Google Cloud CLI.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.
-
Enable the Cloud Run, Artifact Registry, Binary Authorization APIs.
- Install and initialize the Google Cloud CLI.
Enable Binary Authorization on an existing Cloud Run service
This section describes how to enable Binary Authorization enforcement on an existing service.
To enable Binary Authorization enforcement on an existing service, do the following:
Console
Go to the Cloud Run page in the Google Cloud console.
Click the name of the service.
Click the Details tab.
To enable Binary Authorization enforcement on the service, click Enable.
Optional: To configure the Binary Authorization policy, click Configure Policy.
gcloud
Run the following command:
gcloud run services update SERVICE_NAME --binary-authorization=default
Replace SERVICE_NAME with a name for your service.
View the policy
To view the policy, click View policy.
Learn more about configuring a Binary Authorization policy.
Service deploy failure
If your service fails to deploy because it violates the Binary Authorization policy, you might see an error like the following:
Revision REVISION_NAME uses an unauthorized container image. Container image IMAGE_NAME is not authorized by policy.
The error also contains information about why the image violated the policy. In this case, you can use breakglass to bypass policy enforcement and deploy the image.
Enable Binary Authorization on a new service
To enable Binary Authorization on a new service, do the following:
Console
Go to the Cloud Run page:
Click Create service. In the Create service form that displays:
- Select Cloud Run as your development platform.
- Select the region where you want your service located.
- Enter the service name.
- Click Next to continue to the Configure the service's first revision page.
- Select Deploy one revision from an existing container image.
- Enter or select the image to deploy.
- Expand the Advanced settings section.
- Click the Security tab.
Select the Verify container deployment with Binary Authorization checkbox.
Optional: Click Configure policy to configure the Binary Authorization policy. To learn more about configuring a policy, see Configuring a policy
Deploy the service.
gcloud
Run the following command:
gcloud run deploy SERVICE_NAME --image=IMAGE_URL --binary-authorization=default --region=REGION
Replace the following:
- SERVICE_NAME: a name for your service.
- IMAGE_URL: the image you want to deploy.
- REGION: the region in which you want to deploy your service.
What's next
- Use the
built-by-cloud-build
attestor to deploy only images built by Cloud Build (Preview). - Configure the Binary Authorization policy using the Google Cloud console or the command-line tool.
- Use attestations to deploy only signed container images.
- Configure the Binary Authorization policy using the Google Cloud console or the command-line tool