Enable Binary Authorization for Cloud Run

This guide shows you how to set up Binary Authorization to enforce policy-based deployment of Cloud Run services and jobs.

Before you begin

Set up Cloud Run and enable APIs, by doing the following:

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Google Cloud project.

  4. Enable the Cloud Run, Artifact Registry, Binary Authorization APIs.

    Enable the APIs

  5. Install the Google Cloud CLI.
  6. To initialize the gcloud CLI, run the following command:

    gcloud init
  7. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  8. Make sure that billing is enabled for your Google Cloud project.

  9. Enable the Cloud Run, Artifact Registry, Binary Authorization APIs.

    Enable the APIs

  10. Install the Google Cloud CLI.
  11. To initialize the gcloud CLI, run the following command:

    gcloud init

Enable Binary Authorization on an existing Cloud Run service

You can enable Binary Authorization enforcement on an existing service. To activate enforcement after enabling it, you might need to deploy a revision or update service traffic.

You can enable Binary Authorization enforcement on an existing service using the Google Cloud console or Google Cloud CLI:

Console

  1. Go to the Cloud Run page in the Google Cloud console.

    Go to Cloud Run

  2. Click the service.

  3. Click the Security tab.

  4. To enable Binary Authorization enforcement on the service, click Enable.

  5. Optional: To configure the Binary Authorization policy, click Configure Policy.

gcloud

Enable Binary Authorization on the service and deploy it:

gcloud run services update SERVICE_NAME --binary-authorization=default

Replace SERVICE_NAME with a name for your service.

YAML

  1. If you are creating a new service, skip this step. If you are updating an existing service, download its YAML configuration:

    gcloud run services describe SERVICE --format export > service.yaml
  2. Update the run.googleapis.com/binary-authorization: annotation as follows:

    apiVersion: serving.knative.dev/v1
    kind: Service
    metadata:
      annotations:
        run.googleapis.com/binary-authorization: POLICY
      name: SERVICE
    spec:
      template:

    Replace the following:

    • SERVICE: the name of your Cloud Run
    • POLICY: set to default
  3. Replace the service with its new configuration using the following command:

gcloud run services replace service.yaml

Enable Binary Authorization on an existing Cloud Run job

You can enable Binary Authorization enforcement on an existing job using the Google Cloud console or Google Cloud CLI:

Console

  1. Go to the Cloud Run jobs page in the Google Cloud console.

    Go to Cloud Run

  2. Click the job to open the job details.

  3. Click the Configuration tab.

  4. Under Binary Authorization, select a policy from the policy list.

  5. Click Apply to enable Binary Authorization enforcement on the job.

  6. Optional: To configure the Binary Authorization policy, click Configure Policy.

gcloud

Enable Binary Authorization on the job:

gcloud run jobs update JOB_NAME --binary-authorization=POLICY

Replace the following:

  • JOB_NAME: the name of your job.
  • POLICY: the policy you want to apply. Use the value default to use the default policy.

We recommend that you require Binary Authorization for Cloud Run by configuring an organization policy to do so. Binary Authorization can be disabled by Cloud Run developers if the policy is not configured.

View the policy

To view the policy, click View policy.

For more information, see configuring a Binary Authorization policy.

Service or job deploy failure

If your service or job fails to deploy because it violates the Binary Authorization policy, you might see an error like the following:

Revision REVISION_NAME uses an unauthorized container image.
Container image IMAGE_NAME is not authorized by policy.

The error also contains information about why the image violated the policy. In this case, you can use breakglass to bypass policy enforcement and deploy the image.

Enable Binary Authorization on a new service

You can enable Binary Authorization on a new service using the Google Cloud console or Google Cloud CLI:

Console

  1. Go to the Cloud Run page:

    Go to Cloud Run

  2. Click Create service.

  3. In the Create service form :

    1. Select Cloud Run as your development platform.
    2. Select the region where you want your service located.
    3. Enter the service name.
    4. Click Next to continue to the Configure the service's first revision page.
    5. Select Deploy one revision from an existing container image.
    6. Enter or select the image to deploy.
    7. Expand the Advanced settings section.
    8. Click the Security tab.
    9. Select the Verify container deployment with Binary Authorization checkbox.

    10. Optional: Click Configure policy to configure the Binary Authorization policy. To learn more about configuring a policy, see Configuring a policy

    11. Deploy the service.

gcloud

Enable Binary Authorization on the service and deploy it:

  gcloud run deploy SERVICE_NAME --image=IMAGE_URL --binary-authorization=default --region=REGION

Replace the following:

  • SERVICE_NAME: a name for your service.
  • IMAGE_URL: the image you want to deploy.
  • REGION: the region in which you want to deploy your service.

Enable Binary Authorization on a new job

You can enable Binary Authorization on a new job using the Google Cloud CLI:

gcloud

  1. Create a new job with Binary Authorization enabled:

    gcloud run jobs create JOB_NAME \
      --image IMAGE_URL OPTIONS \
      --binary-authorization=POLICY \
      --region=REGION

    Replace the following:

    • JOB_NAME: the name of the job you want to create. You can omit this parameter, but you will be prompted for the job name if you omit it.
    • POLICY: the policy you want to apply. Use the value default to use the default policy.
    • IMAGE_URL with a reference to the container image, for example, us-docker.pkg.dev/cloudrun/container/job:latest.
    • REGION: the region where this job will run.
    • OPTIONS: any of the available options described in the Cloud Run job creation page.
  2. Wait for the job creation to finish. Upon successful completion, the console displays a success message.

  3. To execute the job, see Execute jobs or execute jobs on a schedule.

When you create a new job, the Cloud Run service agent needs to be able to access the container, which is the case by default.

YAML

  1. Create a new job.yaml file with this content:

    apiVersion: run.googleapis.com/v1
    kind: Job
    metadata:
      name: JOB
      annotations:
        run.googleapis.com/binary-authorization: POLICY
    spec:
      template:
        spec:
          containers:
          - image: IMAGE

    Replace the following:

    • JOB: the name of your Cloud Run job
    • IMAGE: the URL of your container image
    • POLICY: set to default
  2. Deploy the new job using the following command:

    gcloud run jobs replace job.yaml

What's next