Enabling Binary Authorization (Cloud Run)

This guide shows you how to set up Binary Authorization to enforce policy-based deployment of Cloud Run services.

Before you begin

Set up Cloud Run and enable APIs, by doing the following:

Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

Go to project selector
Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.
Enable the Cloud Run, Artifact Registry, Binary Authorization APIs.
Enable the APIs

Install and initialize the Cloud SDK.

Enable Binary Authorization on an existing Cloud Run service

To enable Binary Authorization enforcement on an existing service, do the following:

Cloud Console

Go to the Cloud Run page in the Google Cloud Console.

Go to Cloud Run
Click the name of the service.
Click the Details tab.
To enable Binary Authorization enforcement on the service, click Enable.
Optional: To configure the Binary Authorization policy, click Configure Policy.

gcloud

Run the following command:

gcloud beta run services update SERVICE_NAME --binary-authorization=default

Replace SERVICE_NAME with a name for your service.

View the policy

To view the policy, click View policy.

Learn more about configuring a Binary Authorization policy.

Service deploy failure

If your service fails to deploy because it violates the Binary Authorization policy, you might see an error like the following:

Revision REVISION_NAME uses an unauthorized container image.
Container image IMAGE_NAME is not authorized by policy.

The error also contains information about why the image violated the policy. In this case, you can use breakglass to bypass policy enforcement and deploy the image.

Enabling Binary Authorization on a new service

To enable Binary Authorization on a new service, do the following:

Cloud Console

Go to the Cloud Run page:

Go to Cloud Run
Click Create service. In the Create service form that displays:
1. Select Cloud Run as your development platform.
2. Select the region where you want your service located.
3. Enter the service name.
4. Click Next to continue to the Configure the service's first revision page.
5. Select Deploy one revision from an existing container image.
6. Enter or select the image to deploy.
7. Expand the Advanced settings section.
8. Click the Security tab.
9. Select the Verify container deployment with Binary Authorization checkbox.
  
  Note: This checkbox might be unavailable if your organization policy is set to require Binary Authorization for Cloud Run.
10. Optional: Click Configure policy to configure the Binary Authorization policy. To learn more about configuring a policy, see Configuring a policy
11. Deploy the service.

gcloud

Run the following command:

  gcloud beta run deploy SERVICE_NAME --image=IMAGE_URL --platform=managed --binary-authorization=default --region=REGION

Replace the following:

SERVICE_NAME: a name for your service.
IMAGE_URL: the image you want to deploy.
REGION: the region in which you want to deploy your service.

What's next

Configure the Binary Authorization policy using the Cloud Console or the command-line tool
Use attestations to deploy only signed container images.