Enable Binary Authorization for Cloud Run

This guide shows you how to set up Binary Authorization to enforce policy-based deployment of Cloud Run services.

Before you begin

Set up Cloud Run and enable APIs, by doing the following:

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.

  4. Enable the Cloud Run, Artifact Registry, Binary Authorization APIs.

    Enable the APIs

  5. Install and initialize the Google Cloud CLI.

  6. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  7. Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.

  8. Enable the Cloud Run, Artifact Registry, Binary Authorization APIs.

    Enable the APIs

  9. Install and initialize the Google Cloud CLI.

Enable Binary Authorization on an existing Cloud Run service

This section describes how to enable Binary Authorization enforcement on an existing service.

To enable Binary Authorization enforcement on an existing service, do the following:

Console

  1. Go to the Cloud Run page in the Google Cloud console.

    Go to Cloud Run

  2. Click the name of the service.

  3. Click the Details tab.

  4. To enable Binary Authorization enforcement on the service, click Enable.

  5. Optional: To configure the Binary Authorization policy, click Configure Policy.

gcloud

Run the following command:

gcloud run services update SERVICE_NAME --binary-authorization=default

Replace SERVICE_NAME with a name for your service.

View the policy

To view the policy, click View policy.

Learn more about configuring a Binary Authorization policy.

Service deploy failure

If your service fails to deploy because it violates the Binary Authorization policy, you might see an error like the following:

Revision REVISION_NAME uses an unauthorized container image.
Container image IMAGE_NAME is not authorized by policy.

The error also contains information about why the image violated the policy. In this case, you can use breakglass to bypass policy enforcement and deploy the image.

Enable Binary Authorization on a new service

To enable Binary Authorization on a new service, do the following:

Console

  1. Go to the Cloud Run page:

    Go to Cloud Run

  2. Click Create service. In the Create service form that displays:

    1. Select Cloud Run as your development platform.
    2. Select the region where you want your service located.
    3. Enter the service name.
    4. Click Next to continue to the Configure the service's first revision page.
    5. Select Deploy one revision from an existing container image.
    6. Enter or select the image to deploy.
    7. Expand the Advanced settings section.
    8. Click the Security tab.

    9. Select the Verify container deployment with Binary Authorization checkbox.

    10. Optional: Click Configure policy to configure the Binary Authorization policy. To learn more about configuring a policy, see Configuring a policy

    11. Deploy the service.

gcloud

Run the following command:

  gcloud run deploy SERVICE_NAME --image=IMAGE_URL --binary-authorization=default --region=REGION

Replace the following:

  • SERVICE_NAME: a name for your service.
  • IMAGE_URL: the image you want to deploy.
  • REGION: the region in which you want to deploy your service.

What's next