Stay organized with collections
Save and categorize content based on your preferences.
This guide describes how to create and use Binary Authorization
attestations. After a container image is
built, an attestation can be created to affirm that a required activity was
performed on the image such as a regression test, vulnerability scan, or
other test. The attestation is created by signing the image's unique digest.
During deployment, instead of repeating the activities, Binary Authorization
verifies the attestations using an attestor. If all of the attestations for
an image are verified, Binary Authorization allows the image to be deployed.
Cloud Service Mesh users need to only
set up the Binary Authorization policy. To do so, see
Configure a policy, later in this guide.
Create an attestor
To use attestations, you first create attestors.
At deploy time, Binary Authorization uses attestors to verify the
attestation associated with the container image.
You can create attestors using the following methods:
Cloud Service Mesh users can create
rules—including rules that require attestations—that are scoped to either a
mesh service identity, a Kubernetes service account, or a Kubernetes
namespace.
To configure a specific rule, use the following methods:
Attestations are created by a signer.
The process of creating an attestation is also known as signing an image.
A signer can be a person who manually creates an attestation. Alternatively, a
signer can be an automated service. For instructions that describe different
approaches to creating attestations, see the following pages:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eThis guide explains the process of creating and using attestations in Binary Authorization to verify container images before deployment.\u003c/p\u003e\n"],["\u003cp\u003eAttestations, which are created by signing an image's digest, affirm that certain activities, like regression tests or vulnerability scans, have been performed.\u003c/p\u003e\n"],["\u003cp\u003eBinary Authorization uses attestors to verify attestations at deploy time, and only allows deployment if all attestations are confirmed.\u003c/p\u003e\n"],["\u003cp\u003eAttestors can be created using the Google Cloud CLI or the Google Cloud console, and policies can be configured to require attestations for GKE, Cloud Run, Google Distributed Cloud, and Cloud Service Mesh.\u003c/p\u003e\n"],["\u003cp\u003eAfter creating an attestation, the associated image is ready for deployment, and there are different ways to deploy based on the product.\u003c/p\u003e\n"]]],[],null,["# Attestations overview\n\nThis guide describes how to create and use Binary Authorization\n[attestations](/binary-authorization/docs/key-concepts#attestations). After a container image is\nbuilt, an attestation can be created to affirm that a required activity was\nperformed on the image such as a regression test, vulnerability scan, or\nother test. The attestation is created by signing the image's unique digest.\n\nDuring deployment, instead of repeating the activities, Binary Authorization\nverifies the attestations using an attestor. If all of the attestations for\nan image are verified, Binary Authorization allows the image to be deployed.\n\nBefore you begin\n----------------\n\n1. [Enable Binary Authorization](/binary-authorization/docs/enabling).\n\n2. Set up Binary Authorization with one of the following products:\n\n - [Binary Authorization for Google Kubernetes Engine (GKE)](/binary-authorization/docs/setting-up)\n - [Binary Authorization for Cloud Run](/binary-authorization/docs/run/enabling-binauthz-cloud-run)\n - [Binary Authorization for Google Distributed Cloud](/binary-authorization/docs/setting-up-on-prem)\n\nCloud Service Mesh users need to only\nset up the Binary Authorization policy. To do so, see\n[Configure a policy](#config_policy), later in this guide.\n\nCreate an attestor\n------------------\n\nTo use attestations, you first create [attestors](/binary-authorization/docs/key-concepts#attestors).\nAt deploy time, Binary Authorization uses attestors to verify the\nattestation associated with the container image.\n| **Note:** Cloud Build users, you can use the `built-by-cloud-build` attestor to [deploy only images built by Cloud Build](/binary-authorization/docs/deploy-cloud-build).\n\nYou can create attestors using the following methods:\n\n- The [Google Cloud CLI](/binary-authorization/docs/creating-attestors-cli)\n- The [Google Cloud console](/binary-authorization/docs/creating-attestors-console)\n\nConfigure a policy rule to require attestations\n-----------------------------------------------\n\nThis section describes how to configure the policy to require attestations. \n\n### GKE\n\n- Configure the default rule to require attestations using the following\n methods:\n\n - The [Google Cloud console](/binary-authorization/docs/configuring-policy-console#default-rule)\n - The [command-line tool](/binary-authorization/docs/configuring-policy-cli#default-rule)\n- Configure a cluster-specific rule to require attestations using the following\n methods:\n\n - The [Google Cloud console](/binary-authorization/docs/configuring-policy-console#add-cluster-name-gke)\n - The [command-line tool](/binary-authorization/docs/configuring-policy-cli#set_cluster_specific_rules)\n\n### Cloud Run\n\nConfigure the default rule to require attestations using one of the\nfollowing methods:\n\n- [The Google Cloud console](/binary-authorization/docs/configuring-policy-console)\n- [The command-line tool](/binary-authorization/docs/configuring-policy-cli)\n\n### Distributed Cloud\n\n- Configure the default rule to require attestations using the following methods:\n - The [Google Cloud console](/binary-authorization/docs/configuring-policy-console#default-rule)\n - The [command-line tool](/binary-authorization/docs/configuring-policy-cli#default-rule)\n- Configure a cluster-specific rule to require attestations using the following methods:\n - The [Google Cloud console](/binary-authorization/docs/configuring-policy-console#add-cluster-name-anthos)\n - The [command-line tool](/binary-authorization/docs/configuring-policy-cli#set_cluster_specific_rules)\n\n### Cloud Service Mesh\n\nCloud Service Mesh users can create\nrules---including rules that require attestations---that are scoped to either a\nmesh service identity, a Kubernetes service account, or a Kubernetes\nnamespace.\n\nTo configure a specific rule, use the following methods:\n\n- The [Google Cloud console](/binary-authorization/docs/configuring-policy-console#add-specific-rules-asm)\n- The [command-line tool](/binary-authorization/docs/configuring-policy-cli#set_specific_rules)\n\nCreate attestations\n-------------------\n\nAttestations are created by a [signer](/binary-authorization/docs/key-concepts#signers).\nThe process of creating an attestation is also known as *signing an image*.\nA signer can be a person who manually creates an attestation. Alternatively, a\nsigner can be an automated service. For instructions that describe different\napproaches to creating attestations, see the following pages:\n\n- [Create attestations manually](/binary-authorization/docs/making-attestations) by signing a container image.\n- [Create attestations in a Cloud Build pipeline](/binary-authorization/docs/cloud-build).\n\nDeploy an image\n---------------\n\nAfter you create an attestation, you are ready to deploy the associated image. \n\n### GKE\n\n[Deploy images using GKE](/binary-authorization/docs/deploying-containers).\n\n### Cloud Run\n\n[Deploy images using Cloud Run](/binary-authorization/docs/run/enabling-binauthz-cloud-run).\n\n### Distributed Cloud\n\n[Deploy images using Distributed Cloud](/binary-authorization/docs/deploying-containers).\n\n### Cloud Service Mesh\n\nCloud Service Mesh workloads are enforced as soon as the policy is saved.\n\nWhat's next\n-----------\n\n- [View audit logs](/binary-authorization/docs/viewing-audit-logs)\n- [View Cloud Run breakglass audit logs](/binary-authorization/docs/run/viewing-audit-logs-cloud-run)\n- [Use breakglass (GKE)](/binary-authorization/docs/using-breakglass)\n- [Use breakglass (Cloud Run)](/binary-authorization/docs/run/using-breakglass-cloud-run)\n- [Use image digests in Kubernetes manifests](/architecture/using-container-image-digests-in-kubernetes-manifests)"]]
