This page provides an overview of how to set up Binary Authorization for use with Cloud Run services and jobs.
How Binary Authorization policies are applied to Cloud Run
You can set a Binary Authorization policy on Cloud Run services and jobs. However, policy enforcement varies slightly between Cloud Run services and jobs.
Policies applied to Cloud Run services
When you set a Binary Authorization policy on a service, Cloud Run checks the policy each time you deploy a new revision. If the new revision does not conform to the policy, the deployment will fail. However, if this happens, you can use the breakglass feature to bypass the Binary Authorization policy and deploy a revision using a non-compliant container.
Changes in the Binary Authorization policy do not retroactively apply to existing revisions.
Policies applied to Cloud Run jobs
When you set a Binary Authorization policy on a job, Cloud Run checks the policy each time you execute the job. If a job has a non-compliant container:
- You can still update the job successfully.
- Executing the job will fail. You can use the breakglass feature to bypass the Binary Authorization policy in these situations.
Changes in the Binary Authorization policy do not retroactively apply to already-running executions.
Before you begin
Before you use Binary Authorization for Cloud Run, we recommend that you set up your Cloud Run environment.
Setup Steps
To set up Binary Authorization for Cloud Run, perform the following steps:
- Enable Binary Authorization.
- Recommended: Require Binary Authorization for Cloud Run using an organization policy.
- Enable Binary Authorization for Cloud Run.
Configure the Binary Authorization policy.
You can configure the following features in your policy:
Optional: Use the
built-by-cloud-buildattestor to deploy only images built by Cloud Build (Preview).Optional: Use attestations.
View Binary Authorization for Cloud Run events in Cloud Audit Logs.