This guide shows you how to set up Binary Authorization to enforce policy-based deployment of Cloud Run services and jobs.
Before you begin
Set up Cloud Run and enable APIs, by doing the following:
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Cloud Run, Artifact Registry, Binary Authorization APIs.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Cloud Run, Artifact Registry, Binary Authorization APIs.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
Enable Binary Authorization on an existing Cloud Run service
You can enable Binary Authorization enforcement on an existing service. To activate enforcement after enabling it, you might need to deploy a revision or update service traffic.
You can enable Binary Authorization enforcement on an existing service using the Google Cloud console or Google Cloud CLI:
Console
Go to the Cloud Run page in the Google Cloud console.
Click the service.
Click the Security tab.
To enable Binary Authorization enforcement on the service, click Enable.
Optional: To configure the Binary Authorization policy, click Configure Policy.
gcloud
Enable Binary Authorization on the service and deploy it:
gcloud run services update SERVICE_NAME --binary-authorization=default
Replace SERVICE_NAME
with a name for your service.
YAML
If you are creating a new service, skip this step. If you are updating an existing service, download its YAML configuration:
gcloud run services describe SERVICE --format export > service.yaml
Update the
run.googleapis.com/binary-authorization:
annotation as follows:apiVersion: serving.knative.dev/v1 kind: Service metadata: annotations: run.googleapis.com/binary-authorization: POLICY name: SERVICE spec: template:
Replace the following:
- SERVICE: the name of your Cloud Run
- POLICY: set to
default
Replace the service with its new configuration using the following command:
gcloud run services replace service.yaml
Enable Binary Authorization on an existing Cloud Run job
You can enable Binary Authorization enforcement on an existing job using the Google Cloud console or Google Cloud CLI:
Console
Go to the Cloud Run jobs page in the Google Cloud console.
Click the job to open the job details.
Click the Configuration tab.
Under Binary Authorization, select a policy from the policy list.
Click Apply to enable Binary Authorization enforcement on the job.
Optional: To configure the Binary Authorization policy, click Configure Policy.
gcloud
Enable Binary Authorization on the job:
gcloud run jobs update JOB_NAME --binary-authorization=POLICY
Replace the following:
JOB_NAME
: the name of your job.POLICY
: the policy you want to apply. Use the valuedefault
to use the default policy.
We recommend that you require Binary Authorization for Cloud Run by configuring an organization policy to do so. Binary Authorization can be disabled by Cloud Run developers if the policy is not configured.
View the policy
To view the policy, click View policy.
For more information, see configuring a Binary Authorization policy.
Service or job deploy failure
If your service or job fails to deploy because it violates the Binary Authorization policy, you might see an error like the following:
Revision REVISION_NAME uses an unauthorized container image. Container image IMAGE_NAME is not authorized by policy.
The error also contains information about why the image violated the policy. In this case, you can use breakglass to bypass policy enforcement and deploy the image.
Enable Binary Authorization on a new service
You can enable Binary Authorization on a new service using the Google Cloud console or Google Cloud CLI:
Console
Go to the Cloud Run page:
Click Create service.
In the Create service form :
- Select Cloud Run as your development platform.
- Select the region where you want your service located.
- Enter the service name.
- Click Next to continue to the Configure the service's first revision page.
- Select Deploy one revision from an existing container image.
- Enter or select the image to deploy.
- Expand the Advanced settings section.
- Click the Security tab.
Select the Verify container deployment with Binary Authorization checkbox.
Optional: Click Configure policy to configure the Binary Authorization policy. To learn more about configuring a policy, see Configuring a policy
Deploy the service.
gcloud
Enable Binary Authorization on the service and deploy it:
gcloud run deploy SERVICE_NAME --image=IMAGE_URL --binary-authorization=default --region=REGION
Replace the following:
SERVICE_NAME
: a name for your service.IMAGE_URL
: the image you want to deploy.REGION
: the region in which you want to deploy your service.
Enable Binary Authorization on a new job
You can enable Binary Authorization on a new job using the Google Cloud CLI:
gcloud
Create a new job with Binary Authorization enabled:
gcloud run jobs create JOB_NAME \ --image IMAGE_URL OPTIONS \ --binary-authorization=POLICY \ --region=REGION
Replace the following:
JOB_NAME
: the name of the job you want to create. You can omit this parameter, but you will be prompted for the job name if you omit it.POLICY
: the policy you want to apply. Use the valuedefault
to use the default policy.- IMAGE_URL with a reference to the container image, for
example,
us-docker.pkg.dev/cloudrun/container/job:latest
. REGION
: the region where this job will run.OPTIONS
: any of the available options described in the Cloud Run job creation page.
Wait for the job creation to finish. Upon successful completion, the console displays a success message.
To execute the job, see Execute jobs or execute jobs on a schedule.
When you create a new job, the Cloud Run service agent needs to be able to access the container, which is the case by default.
YAML
Create a new
job.yaml
file with this content:apiVersion: run.googleapis.com/v1 kind: Job metadata: name: JOB annotations: run.googleapis.com/binary-authorization: POLICY spec: template: spec: containers: - image: IMAGE
Replace the following:
- JOB: the name of your Cloud Run job
- IMAGE: the URL of your container image
- POLICY: set to
default
Deploy the new job using the following command:
gcloud run jobs replace job.yaml
What's next
- Use the
built-by-cloud-build
attestor to deploy only images built by Cloud Build. - Configure the Binary Authorization policy using the Google Cloud console or the command-line tool.
- Use attestations to deploy only signed container images.
- Watch a video on how to use Binary Authorization in Cloud Run so that only approved builds are deployed.