Shape the future of software security and make your voice heard by taking the 2021 State of DevOps survey.

Requiring Binary Authorization

This page describes how to configure an organization policy that requires Binary Authorization enforcement of container images that are deployed to Cloud Run. You can require enforcement for a project, folder, or an organization.

Before you begin

You must have permission to modify organization policies to set this constraint. For example, the orgpolicy.policyAdmin role has permission to set organization policy constraints. The resourcemanager.organizationAdmin role has permission to add a user as an Organization Policy Administrator. Read the Using Constraints page to learn more about managing policies at the organization level.

Setting the organization policy

This section shows you how to set an organization policy to require Binary Authorization enforcement on images deployed to Cloud Run. You can set the policy using the Google Cloud Console or the gcloud command-line tool.

Cloud Console

To set the organization policy using Cloud Console, do the following:

  1. In the Cloud Console, go to the Organization policies page.

    Go to Organization policies

  2. In the Project Selector at the top of the page, do the following:

    1. Select the organization for which you want to set the policy.

      You can set the policy at the organization, folder or project level using the folder ID and project ID, respectively. To learn more, see Using constraints.

    2. To complete the selection, click Open.

  3. In Filter, enter the following:

    Allowed Binary Authorization Policies (Cloud Run)
    
  4. To edit the policy details, in Policy details, click Edit.

  5. In Applies to, click Customize.

  6. Make sure Policy type is set to Allow.

To set the default Binary Authorization policy that the organization policy requires, do the following:

  1. In Custom values, in the text field, type default.

    The policy value must be set to default. Setting the value to default configures Binary Authorization to use the policy in the same project as your Cloud Run services.

  2. To save this organization policy, click Save.

gcloud

To set the organization policy using gcloud, do the following:

gcloud resource-manager org-policies allow run.allowedBinaryAuthorizationPolicies \
  default \
  --organization=ORGANIZATION_ID

Replace ORGANIZATION_ID with the numeric ID of the organization.

You can also apply the organization policy to a folder or a project with the --folder or the --project flags, and the folder ID and project ID, respectively.

View the organization policy

You can view the organization policy using the Cloud Console or gcloud.

Cloud Console

  1. In the Cloud Console, go to the Organization policies page.

    Go to Organization policies

  2. In the Project Selector, select the organization for which you want to view the policy.

  3. In Filter, enter the following:

    Allowed Binary Authorization Policies (Cloud Run)
    
  4. To complete the selection, click Open.

  5. You can view the Allowed Binary Authorization Policies (Cloud Run) policy configuration.

gcloud

To view the organization policy that requires Binary Authorization for Cloud Run on an organization, enter the following command:

gcloud resource-manager org-policies describe \
  run.allowedBinaryAuthorizationPolicies \
  --effective \
  --organization=ORGANIZATION_ID

Replace ORGANIZATION_ID with the numeric ID of the organization.

Revert the policy

You can revert the policy so that Cloud Run no longer requires Binary Authorization enforcement using the Cloud Console or gcloud.

Cloud Console

To revert the policy using the Cloud Console, do the following:

  1. In the Cloud Console, go to the Organization policies page.

    Go to Organization policies

  2. In the Project Selector, select the organization for which you want to revert the policy.

  3. In Filter, enter the following:

    Allowed Binary Authorization Policies (Cloud Run)
    
  4. To complete the selection, click Open.

  5. To edit the policy details, in Policy details, click Edit.

  6. In Applies to, select Inherit parent's policy.

  7. To save the organization policy, click Save.

gcloud

To revert the policy using gcloud, do the following:

gcloud resource-manager org-policies delete \
  run.allowedBinaryAuthorizationPolicies \
  --organization=ORGANIZATION_ID

Replace ORGANIZATION_ID with the numeric ID of the organization.

The command returns the following:

Deleted [<Empty>]

Alternatively, you can view the org policy and note that the Inheritance is set to Inherit, instead of custom and there is no custom value set.

What's next