Use breakglass (Cloud Run)

This page shows you how to use breakglass to deploy or serve an image on Cloud Run when the image violates the Binary Authorization policy.

Before you begin, set up Binary Authorization for Cloud Run and deploy or serve an image.

To use breakglass, follow these steps.

Console

When an attempt is made to deploy or serve an image that violates the Binary Authorization policy, Cloud Run displays an error along with a Breakglass button.

To bypass Binary Authorization enforcement and deploy or serve a container that violates the policy, do the following:

Go to the Cloud Run Services page in the Google Cloud console.

Go to Cloud Run Services
Click the name of the service for which you want to use breakglass.
Click the Breakglass button. In the dialog that appears, do the following:
1. Enter a breakglass justification.
  
  Note: Using breakglass creates a log entry containing the breakglass justification.
2. To bypass the policy and deploy the image, click the Breakglass button.

gcloud

To bypass Binary Authorization enforcement and deploy or serve a container that violates the policy, enter the following command:

  gcloud run services update SERVICE_NAME --breakglass=JUSTIFICATION

Replace JUSTIFICATION with a justification for using breakglass.

You can now view breakglass events in Cloud Audit Logs.

What's next

View Binary Authorization events in Cloud Audit Logs.
Configure the Binary Authorization policy using the Google Cloud console or the command-line tool
Use attestations to deploy only signed container images.