Enabling Binary Authorization (Cloud Run)

This guide shows you how to set up Binary Authorization to enforce policy-based deployment of Cloud Run services.

Before you begin

Set up Cloud Run and enable APIs, by doing the following:

  1. Accede a tu cuenta de Google Cloud. Si eres nuevo en Google Cloud, crea una cuenta para evaluar el rendimiento de nuestros productos en situaciones reales. Los clientes nuevos también obtienen $300 en créditos gratuitos para ejecutar, probar y, además, implementar cargas de trabajo.
  2. En la página del selector de proyectos de Google Cloud Console, selecciona o crea un proyecto de Google Cloud.

    Ir al selector de proyecto

  3. Comprueba que la facturación esté habilitada en tu proyecto.

    Descubre cómo puedes habilitar la facturación

  4. Habilita las API de Cloud Run, Artifact Registry, Binary Authorization.

    Habilita las API

  5. Instala e inicializa el SDK de Cloud.

Enable Binary Authorization on an existing Cloud Run service

To enable Binary Authorization enforcement on an existing service, do the following:

Cloud Console

  1. Go to the Cloud Run page in the Google Cloud Console.

    Go to Cloud Run

  2. Click the name of the service.

  3. Click the Details tab.

  4. To enable Binary Authorization enforcement on the service, click Enable.

  5. Optional: To configure the Binary Authorization policy, click Configure Policy.

gcloud

Run the following command:

gcloud beta run services update SERVICE_NAME --binary-authorization=default

Replace SERVICE_NAME with a name for your service.

View the policy

To view the policy, click View policy.

Learn more about configuring a Binary Authorization policy.

Service deploy failure

If your service fails to deploy because it violates the Binary Authorization policy, you might see an error like the following:

Revision REVISION_NAME uses an unauthorized container image.
Container image IMAGE_NAME is not authorized by policy.

The error also contains information about why the image violated the policy. In this case, you can use breakglass to bypass policy enforcement and deploy the image.

Enabling Binary Authorization on a new service

To enable Binary Authorization on a new service, do the following:

Cloud Console

  1. Go to the Cloud Run page:

    Go to Cloud Run

  2. Click Create service. In the Create service form that displays:

    1. Select Cloud Run as your development platform.
    2. Select the region where you want your service located.
    3. Enter the service name.
    4. Click Next to continue to the Configure the service's first revision page.
    5. Select Deploy one revision from an existing container image.
    6. Enter or select the image to deploy.
    7. Expand the Advanced settings section.
    8. Click the Security tab.
    9. Select the Verify container deployment with Binary Authorization checkbox.

    10. Optional: Click Configure policy to configure the Binary Authorization policy. To learn more about configuring a policy, see Configuring a policy

    11. Deploy the service.

gcloud

Run the following command:

  gcloud beta run deploy SERVICE_NAME --image=IMAGE_URL --platform=managed --binary-authorization=default --region=REGION

Replace the following:

  • SERVICE_NAME: a name for your service.
  • IMAGE_URL: the image you want to deploy.
  • REGION: the region in which you want to deploy your service.

What's next