Stay organized with collections
Save and categorize content based on your preferences.
Configure a Binary Authorization policy with Cloud Run
This quickstart shows how to configure and test a basic
rule in a Binary Authorization policy
with Cloud Run.
In this quickstart, you use Binary Authorization to control deployment of a
Cloud Run service.
Before you begin
Sign in to your Google Cloud account. If you're new to
Google Cloud,
create an account to evaluate how our products perform in
real-world scenarios. New customers also get $300 in free credits to
run, test, and deploy workloads.
In the Google Cloud console, on the project selector page,
select or create a Google Cloud project.
Click the name of the service you deployed earlier in this guide.
Click Edit and deploy new revision.
Click Deploy.
You see an error message similar to the following:
Service update rejected by Binary Authorization policy: Revision
REVISION uses unauthorized container image. Container image 'us-docker.pkg.dev/cloudrun/container/hello@SHA' is not authorized by policy. Denied by an ALWAYS_DENY admission rule
Reset the policy to allow all images
To reset the policy to allow all images, do the following:
Go to the Binary Authorization page in the Google Cloud console.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eThis guide demonstrates configuring a Binary Authorization policy to manage Cloud Run service deployments.\u003c/p\u003e\n"],["\u003cp\u003eInitially, the Binary Authorization policy allows all container images to be deployed, which can be viewed and verified in the policy settings.\u003c/p\u003e\n"],["\u003cp\u003eThe policy can be updated to disallow all images, and any attempted deployment will be rejected with an error, as demonstrated by the guide.\u003c/p\u003e\n"],["\u003cp\u003eThe policy can also be reset to allow all images again, which enables users to deploy new revisions.\u003c/p\u003e\n"],["\u003cp\u003eResources created during this process, like the Cloud Run service, can be deleted, and Binary Authorization can be disabled to avoid unnecessary charges.\u003c/p\u003e\n"]]],[],null,["# Quickstart: Configure a Binary Authorization policy with Cloud Run\n\nConfigure a Binary Authorization policy with Cloud Run\n======================================================\n\nThis quickstart shows how to configure and test a basic\n[rule](/binary-authorization/docs/key-concepts#rules) in a Binary Authorization [policy](/binary-authorization/docs/key-concepts#policies)\nwith Cloud Run.\n\nIn this quickstart, you use Binary Authorization to control deployment of a\nCloud Run service.\n\nBefore you begin\n----------------\n\n- Sign in to your Google Cloud account. If you're new to Google Cloud, [create an account](https://console.cloud.google.com/freetrial) to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the Cloud Run, Artifact Registry, Binary Authorization APIs.\n\n\n [Enable the APIs](https://console.cloud.google.com/flows/enableapi?apiid=run.googleapis.com,artifactregistry.googleapis.com,binaryauthorization.googleapis.com&redirect=https://cloud.google.com/binary-authorization/docs/run/configure-policy-cloud-run)\n-\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n- If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n-\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the Cloud Run, Artifact Registry, Binary Authorization APIs.\n\n\n [Enable the APIs](https://console.cloud.google.com/flows/enableapi?apiid=run.googleapis.com,artifactregistry.googleapis.com,binaryauthorization.googleapis.com&redirect=https://cloud.google.com/binary-authorization/docs/run/configure-policy-cloud-run)\n-\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n- If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n-\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n\nCreate a service with Binary Authorization enabled\n--------------------------------------------------\n\nTo create a Cloud Run service with Binary Authorization\nenabled, do the following:\n\n1. [Go to Cloud Run](https://console.cloud.google.com/run?enableapi=true)\n\n2. Click **Create service** to display the *Create service* form:\n\n In the form that displays, do the following:\n 1. Select Cloud Run as your development platform.\n 2. Select the [region](/about/locations) where you want your service located.\n 3. Specify the name you want to give to your service---for example, `test-service`.\n 4. Click **Next** to continue to the *Configure the service's first\n revision* page.\n\n In the form, do the following:\n 1. Select **Deploy one revision from an existing container image**.\n 2. Use `us-docker.pkg.dev/cloudrun/container/hello` as the container image.\n\n | **Note:** The example image name is for demonstration purposes. We recommend that you use Binary Authorization to deploy only images that you maintain.\n 3. Expand the **Advanced settings** section.\n\n 4. Click the **Security** tab.\n\n 5. Select the **Verify\n container deployment with Binary Authorization** checkbox:\n\n | **Note:** If your [organization policy requires Binary Authorization for Cloud Run](/binary-authorization/docs/run/requiring-binauthz-cloud-run), the checkbox is disabled.\n\n By default, the Binary Authorization policy allows all images to\n be deployed.\n 6. Click **Next** to continue to the *Configure how this service is\n triggered* page:\n\n 7. Select **Allow unauthenticated invocations** to be able to open the\n result in your web browser\n\n 8. Click **Create** to deploy the image to Cloud Run and wait\n for the deployment to finish.\n\n Your service is deployed. Revisions are subject to\n Binary Authorization policy enforcement.\n\nUpdate the Binary Authorization policy to disallow all images\n-------------------------------------------------------------\n\nThe Binary Authorization policy contains a default rule. This rule governs the\ndeployment of the Cloud Run service you just created.\n\nBy default, the rule allows all container images to be deployed.\n\nTo view the default policy, do the following:\n\n1. [Go to Binary Authorization](https://console.cloud.google.com/security/binary-authorization/)\n\n2. Click **Edit Policy**.\n\n3. In **Project Default Rule** , note that the option **Allow All Images** is\n selected.\n\nNow, modify the policy to *block all images from being deployed*, by doing the\nfollowing:\n\n1. Go to the **Binary Authorization** page in the Google Cloud console.\n\n [Go to Binary Authorization](https://console.cloud.google.com/security/binary-authorization/policy)\n2. Click **Edit Policy**.\n\n3. In **Default rule** , select **Disallow All Images**.\n\n4. Click **Save Policy**.\n\n| **Note:** It can take a few minutes for the policy to take effect.\n\nRedeploy the service\n--------------------\n\nTest the updated policy by deploying a new revision.\n\nTo deploy the image, do the following:\n\n1. [Go to Cloud Run](https://console.cloud.google.com/run?enableapi=true)\n\n2. Click the name of the service you deployed earlier in this guide.\n\n3. Click Edit and deploy new revision.\n\n4. Click **Deploy**.\n\nYou see an error message similar to the following: \n\n Service update rejected by Binary Authorization policy: Revision\n \u003cvar translate=\"no\"\u003eREVISION\u003c/var\u003e uses unauthorized container image. Container image 'us-docker.pkg.dev/cloudrun/container/hello@\u003cvar translate=\"no\"\u003eSHA\u003c/var\u003e' is not authorized by policy. Denied by an ALWAYS_DENY admission rule\n\nReset the policy to allow all images\n------------------------------------\n\nTo reset the policy to allow all images, do the following:\n\n1. Go to the **Binary Authorization** page in the Google Cloud console.\n\n [Go to Binary Authorization](https://console.cloud.google.com/security/binary-authorization/policy)\n2. Click **Edit Policy**.\n\n3. Select **Allow All Images**.\n\n4. To save the policy, click **Save Policy**.\n\nYou can now deploy images.\n\nClean up\n--------\n\n\nTo avoid incurring charges to your Google Cloud account for\nthe resources used on this page, follow these steps.\n\nTo delete the service you created in Cloud Run, do the\nfollowing:\n\n1. [Go to Cloud Run](https://console.cloud.google.com/run)\n\n2. Locate the service you want to delete in the services list, and click\n its checkbox to select it.\n\n3. Click **Delete**. This deletes all revisions of the service.\n\nTo disable Binary Authorization, see [Disabling Binary Authorization](/binary-authorization/docs/run/disabling-binauthz-cloud-run).\n\nWhat's next\n-----------\n\n- Use [breakglass](/binary-authorization/docs/run/using-breakglass-cloud-run) to\n bypass Binary Authorization enforcement.\n\n- Use the `built-by-cloud-build` attestor to [deploy only images built by Cloud Build](/binary-authorization/docs/deploy-cloud-build).\n\n- [Use attestations](/binary-authorization/docs/attestations).\n\n- Configure the Binary Authorization policy by using the [Google Cloud console](/binary-authorization/docs/configuring-policy-console) or the [command-line tool](/binary-authorization/docs/configuring-policy-cli).\n\n- [View Binary Authorization for Cloud Run events in Cloud Audit Logs](/binary-authorization/docs/run/viewing-audit-logs-cloud-run)."]]
