Configure a Binary Authorization policy with Cloud Run

This quickstart shows how to configure and test a basic rule in a Binary Authorization policy with Cloud Run.

In this quickstart, you use Binary Authorization to control deployment of a Cloud Run service.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Verify that billing is enabled for your Google Cloud project.

  4. Enable the Cloud Run, Artifact Registry, Binary Authorization APIs.

    Enable the APIs

  5. Install the Google Cloud CLI.

  6. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  7. To initialize the gcloud CLI, run the following command: 

    gcloud init

  8. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  9. Verify that billing is enabled for your Google Cloud project.

  10. Enable the Cloud Run, Artifact Registry, Binary Authorization APIs.

    Enable the APIs

  11. Install the Google Cloud CLI.

  12. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  13. To initialize the gcloud CLI, run the following command: 

    gcloud init

Create a service with Binary Authorization enabled

To create a Cloud Run service with Binary Authorization enabled, do the following:

  1. Go to Cloud Run

  2. Click Create service to display the Create service form:

    image

    In the form that displays, do the following:

    1. Select Cloud Run as your development platform.
    2. Select the region where you want your service located.
    3. Specify the name you want to give to your service—for example, test-service.

    4. Click Next to continue to the Configure the service's first revision page.

      In the form, do the following:

      1. Select Deploy one revision from an existing container image.

      2. Use us-docker.pkg.dev/cloudrun/container/hello as the container image.

      3. Expand the Advanced settings section.

      4. Click the Security tab.

      5. Select the Verify container deployment with Binary Authorization checkbox:

        image

        By default, the Binary Authorization policy allows all images to be deployed.

      6. Click Next to continue to the Configure how this service is triggered page:

        image

      7. Select Allow unauthenticated invocations to be able to open the result in your web browser

      8. Click Create to deploy the image to Cloud Run and wait for the deployment to finish.

      Your service is deployed. Revisions are subject to Binary Authorization policy enforcement.

Update the Binary Authorization policy to disallow all images

The Binary Authorization policy contains a default rule. This rule governs the deployment of the Cloud Run service you just created.

By default, the rule allows all container images to be deployed.

To view the default policy, do the following:

  1. Go to Binary Authorization

    Screenshot of policy tab showing default rule

  2. Click Edit Policy.

  3. In Project Default Rule, note that the option Allow All Images is selected.

    Screenshot of the option to choose a default rule type

Now, modify the policy to block all images from being deployed, by doing the following:

  1. Go to the Binary Authorization page in the Google Cloud console.

    Go to Binary Authorization

  2. Click Edit Policy.

  3. In Default rule, select Disallow All Images.

    Screenshot of the option to choose a default rule type

  4. Click Save Policy.

Redeploy the service

Test the updated policy by deploying a new revision.

To deploy the image, do the following:

  1. Go to Cloud Run

  2. Click the name of the service you deployed earlier in this guide.

  3. Click Edit and deploy new revision.

  4. Click Deploy.

You see an error message similar to the following:

Service update rejected by Binary Authorization policy: Revision
REVISION uses unauthorized container image. Container image 'us-docker.pkg.dev/cloudrun/container/hello@SHA' is not authorized by policy. Denied by an ALWAYS_DENY admission rule

Reset the policy to allow all images

To reset the policy to allow all images, do the following:

  1. Go to the Binary Authorization page in the Google Cloud console.

    Go to Binary Authorization

  2. Click Edit Policy.

  3. Select Allow All Images.

  4. To save the policy, click Save Policy.

You can now deploy images.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.

To delete the service you created in Cloud Run, do the following:

  1. Go to Cloud Run

  2. Locate the service you want to delete in the services list, and click its checkbox to select it.

  3. Click Delete. This deletes all revisions of the service.

To disable Binary Authorization, see Disabling Binary Authorization.

What's next