Stay organized with collections
Save and categorize content based on your preferences.
This page provides an overview of how to set up Binary Authorization for use with
Cloud Run services and jobs.
How Binary Authorization policies are applied to Cloud Run
You can set a Binary Authorization policy on Cloud Run services and jobs.
However, policy enforcement varies slightly between Cloud Run services
and jobs.
Policies applied to Cloud Run services
When you set a Binary Authorization policy on a service, Cloud Run
checks the policy each time you deploy a new revision. If the new revision does
not conform to the policy, the deployment will fail. However, if this happens, you
can use the breakglass
feature to bypass the Binary Authorization policy and deploy a revision using a
non-compliant container.
Changes in the Binary Authorization policy do not retroactively
apply to existing revisions.
Policies applied to Cloud Run jobs
When you set a Binary Authorization policy on a job, Cloud Run checks the
policy each time you execute the job. If a job has a non-compliant container:
You can still update the job successfully.
Executing the job will fail. You can use the
breakglass
feature to bypass the Binary Authorization policy in these situations.
Changes in the Binary Authorization policy do not retroactively
apply to already-running executions.
To deploy functions in Cloud Run, the Binary Authorization
policy administrator must configure the Binary Authorization policy to
exempt all images from the
REGION-docker.pkg.dev/PROJECT_ID/cloud-run-source-deploy/**
repository and its subdirectories.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eThis guide details the process of setting up Binary Authorization for Cloud Run services and jobs, including how policies are applied and enforced.\u003c/p\u003e\n"],["\u003cp\u003eBinary Authorization policies for Cloud Run services are checked during new revision deployments, with failed deployments occurring if the new revision does not conform to the policy, although it has a breakglass feature.\u003c/p\u003e\n"],["\u003cp\u003eBinary Authorization policies for Cloud Run jobs are checked during each job execution, which will fail if a non-compliant container is present, although a breakglass feature is also available.\u003c/p\u003e\n"],["\u003cp\u003eChanges to Binary Authorization policies do not retroactively apply to existing Cloud Run revisions or already-running job executions.\u003c/p\u003e\n"],["\u003cp\u003eThe setup process involves enabling Binary Authorization, optionally requiring it via an organization policy, and then configuring the Binary Authorization policy, which may include exempting images or setting up attestations.\u003c/p\u003e\n"]]],[],null,["# Set up overview for Cloud Run\n\nThis page provides an overview of how to set up Binary Authorization for use with\nCloud Run services and jobs.\n\nHow Binary Authorization policies are applied to Cloud Run\n----------------------------------------------------------\n\nYou can set a Binary Authorization policy on Cloud Run services and jobs.\nHowever, policy enforcement varies slightly between Cloud Run services\nand jobs.\n\n### Policies applied to Cloud Run services\n\nWhen you set a Binary Authorization policy on a service, Cloud Run\nchecks the policy each time you deploy a new revision. If the new revision does\nnot conform to the policy, the deployment will fail. However, if this happens, you\ncan use the [breakglass](/binary-authorization/docs/run/using-breakglass-cloud-run)\nfeature to bypass the Binary Authorization policy and deploy a revision using a\nnon-compliant container.\n\nChanges in the Binary Authorization policy *do not* retroactively\napply to existing revisions.\n\n### Policies applied to Cloud Run jobs\n\nWhen you set a Binary Authorization policy on a job, Cloud Run checks the\npolicy each time you execute the job. If a job has a non-compliant container:\n\n- You can still update the job successfully.\n- Executing the job will fail. You can use the [breakglass](/binary-authorization/docs/run/using-breakglass-cloud-run) feature to bypass the Binary Authorization policy in these situations.\n\nChanges in the Binary Authorization policy *do not* retroactively\napply to already-running executions.\n\nBefore you begin\n----------------\n\nBefore you use Binary Authorization for Cloud Run, we recommend that you\n[set up your Cloud Run environment](/run/docs/setup).\n\nSetup Steps\n-----------\n\nTo set up Binary Authorization for Cloud Run, perform the following steps:\n\n1. [Enable Binary Authorization](/binary-authorization/docs/enabling).\n2. Recommended: [Require Binary Authorization for Cloud Run](/binary-authorization/docs/run/requiring-binauthz-cloud-run) using an organization policy.\n3. [Enable Binary Authorization for Cloud Run](/binary-authorization/docs/run/enabling-binauthz-cloud-run).\n4. Configure the Binary Authorization policy.\n\n | **Note:** Skip this step if you want to use attestations.\n\n You can configure the following features in your policy:\n - [Default rule](/binary-authorization/docs/configuring-policy-console#default-rule).\n - [Exempt images](/binary-authorization/docs/configuring-policy-console#exempt_images). [Learn more about exempt images](/binary-authorization/docs/key-concepts#exempt_images).\n\n To deploy functions in Cloud Run, the Binary Authorization\n policy administrator must configure the Binary Authorization policy to\n exempt all images from the\n \u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e`-docker.pkg.dev/`\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e`/cloud-run-source-deploy/**`\n repository and its subdirectories.\n5. Optional: Use the `built-by-cloud-build` attestor to [deploy only images built by Cloud Build](/binary-authorization/docs/deploy-cloud-build) ([Preview](/products#product-launch-stages)).\n\n6. Optional: [Use attestations](/binary-authorization/docs/attestations).\n\n7. [View Binary Authorization for Cloud Run events in Cloud Audit Logs](/binary-authorization/docs/run/viewing-audit-logs-cloud-run)."]]
