Stay organized with collections
Save and categorize content based on your preferences.
This page describes how to configure an organization policy that requires
Binary Authorization enforcement of container images that are deployed to
Cloud Run. You can require enforcement for a project, folder, or
an organization.
Before you begin
You must have permission to modify
organization policies to set this
constraint. For example, the
orgpolicy.policyAdmin
role has permission to set organization policy constraints. The
resourcemanager.organizationAdmin
role has permission to add a user as an Organization Policy Administrator.
Read the
Using Constraints
page to learn more about managing policies at the organization level.
You can use a custom constraint
to require that Binary Authorization is set to default at the project
level.
Set the organization policy
This section shows you how to set an organization policy to require
Binary Authorization enforcement on images deployed to
Cloud Run. You can set the policy using the Google Cloud console
or the Google Cloud CLI.
Console
To set the organization policy using Google Cloud console, do the
following:
In the Google Cloud console, go to the Organization policies page.
In the Project Selector at the top of the page, do the following:
Select the organization for which you want to set the policy.
You can set the policy at the organization, folder or project level
using the
folder ID
and
project ID,
respectively.
To learn more, see Using constraints.
To complete the selection, click Open.
In Filter, enter the following:
Allowed Binary Authorization Policies (Cloud Run)
To edit the policy details, in Policy details, click Edit.
In Applies to, click Customize.
Make sure Policy type is set to Allow.
To set the default Binary Authorization policy that the organization
policy requires, do the following:
In Custom values, in the text field, type default.
The policy value must be set to default. Setting the value to
default configures Binary Authorization to use the policy in the
same project as your Cloud Run services.
To save this organization policy, click Save.
gcloud
To set the organization policy using gcloud, do the following:
Replace ORGANIZATION_ID with the numeric ID of the
organization.
You can also apply the organization policy to a folder or a project with the
--folder or the --project flags, and the
folder ID
and
project ID,
respectively.
View the organization policy
You can view the organization policy using the Google Cloud console or gcloud.
Console
In the Google Cloud console, go to the Organization policies page.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eThis guide outlines the process of configuring an organization policy to enforce Binary Authorization for container images deployed to Cloud Run at the project, folder, or organization level.\u003c/p\u003e\n"],["\u003cp\u003eSetting this policy requires specific permissions, such as the \u003ccode\u003eorgpolicy.policyAdmin\u003c/code\u003e role, and can be done through the Google Cloud console or the \u003ccode\u003egcloud\u003c/code\u003e command-line tool.\u003c/p\u003e\n"],["\u003cp\u003eIt is recommended to use dry-run mode and review Cloud Audit Logs before making the policy more restrictive to avoid impacting running services.\u003c/p\u003e\n"],["\u003cp\u003eThe Binary Authorization policy can be set to \u003ccode\u003edefault\u003c/code\u003e, which configures it to use the policy in the same project as the Cloud Run services.\u003c/p\u003e\n"],["\u003cp\u003eYou can view and revert this policy at any time, and revert the policy using the Google Cloud console or the \u003ccode\u003egcloud\u003c/code\u003e tool.\u003c/p\u003e\n"]]],[],null,["# Require Binary Authorization for Cloud Run\n\nThis page describes how to configure an organization policy that requires\nBinary Authorization enforcement of container images that are deployed to\nCloud Run. You can require enforcement for a project, folder, or\nan organization.\n\nBefore you begin\n----------------\n\nYou must have permission to modify\n[organization policies](/resource-manager/reference/rest/v1/Policy) to set this\nconstraint. For example, the\n[`orgpolicy.policyAdmin`](/iam/docs/understanding-roles#organization-policy-roles)\nrole has permission to set organization policy constraints. The\n[`resourcemanager.organizationAdmin`](/resource-manager/docs/access-control-org)\nrole has permission to add a user as an Organization Policy Administrator.\nRead the\n[Using Constraints](/resource-manager/docs/organization-policy/using-constraints#add-org-policy-admin)\npage to learn more about managing policies at the organization level.\nYou can [use a custom constraint](/run/docs/securing/custom-constraints#require-binary)\nto require that Binary Authorization is set to `default` at the project\nlevel.\n\nSet the organization policy\n---------------------------\n\nThis section shows you how to set an organization policy to require\nBinary Authorization enforcement on images deployed to\nCloud Run. You can set the policy using the Google Cloud console\nor the Google Cloud CLI.\n**Warning:** Setting this policy can affect running services. If you have running services, we recommend you [enable dry-run mode in the policy](/binary-authorization/docs/enabling-dry-run) and review [Cloud Audit Logs entries for Cloud Run](/binary-authorization/docs/run/viewing-audit-logs-cloud-run) before updating the policy to be more restrictive. \n\n### Console\n\nTo set the organization policy using Google Cloud console, do the\nfollowing:\n\n1. In the Google Cloud console, go to the Organization policies page.\n\n [Go to Organization policies](https://console.cloud.google.com/iam-admin/orgpolicies)\n2. In the **Project Selector** at the top of the page, do the following:\n\n 1. Select the organization for which you want to set the policy.\n\n You can set the policy at the organization, folder or project level\n using the\n [folder ID](/resource-manager/docs/creating-managing-folders#configuring_access_to_folders)\n and\n [project ID](/resource-manager/docs/creating-managing-projects#identifying_projects),\n respectively.\n To learn more, see [Using constraints](/resource-manager/docs/organization-policy/using-constraints).\n 2. To complete the selection, click **Open**.\n\n3. In **Filter**, enter the following:\n\n Allowed Binary Authorization Policies (Cloud Run)\n\n4. To edit the policy details, in **Policy details** , click **Edit**.\n\n5. In **Applies to** , click **Customize**.\n\n | **Note:** You can inherit settings from a parent project or organization by clicking **Inherit parent's policy**.\n6. Make sure **Policy type** is set to `Allow`.\n\nTo set the default Binary Authorization policy that the organization\npolicy requires, do the following:\n\n1. In **Custom values** , in the text field, type `default`.\n\n The policy value must be set to `default`. Setting the value to\n `default` configures Binary Authorization to use the policy in the\n same project as your Cloud Run services.\n2. To save this organization policy, click **Save**.\n\n### gcloud\n\nTo set the organization policy using `gcloud`, do the following: \n\n```\ngcloud resource-manager org-policies allow run.allowedBinaryAuthorizationPolicies \\\n default \\\n --organization=ORGANIZATION_ID\n```\n\nReplace \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e with the numeric ID of the\norganization.\n\nYou can also apply the organization policy to a folder or a project with the\n`--folder` or the `--project` flags, and the\n[folder ID](/resource-manager/docs/creating-managing-folders#configuring_access_to_folders)\nand\n[project ID](/resource-manager/docs/creating-managing-projects#identifying_projects),\nrespectively.\n| **Note:** It can take up to a few minutes for the organization policy to update and require Binary Authorization enforcement for Cloud Run.\n\nView the organization policy\n----------------------------\n\nYou can view the organization policy using the Google Cloud console or `gcloud`. \n\n### Console\n\n1. In the Google Cloud console, go to the Organization policies page.\n\n [Go to Organization policies](https://console.cloud.google.com/iam-admin/orgpolicies)\n2. In the **Project Selector**, select the organization for which you want\n to view the policy.\n\n3. In **Filter**, enter the following:\n\n Allowed Binary Authorization Policies (Cloud Run)\n\n4. To complete the selection, click **Open**.\n\n5. You can view the `Allowed Binary Authorization Policies (Cloud Run)`\n policy configuration.\n\n### gcloud\n\nTo view the organization policy that requires Binary Authorization for\nCloud Run on an organization, enter the following command: \n\n```\ngcloud resource-manager org-policies describe \\\n run.allowedBinaryAuthorizationPolicies \\\n --effective \\\n --organization=ORGANIZATION_ID\n```\n\nReplace \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e with the numeric ID of the\norganization.\n\nRevert the policy\n-----------------\n\nYou can revert the policy so that Cloud Run no longer requires\nBinary Authorization enforcement using the Google Cloud console or\n`gcloud`. \n\n### Console\n\nTo revert the policy using the Google Cloud console, do the following:\n\n1. In the Google Cloud console, go to the Organization policies page.\n\n [Go to Organization policies](https://console.cloud.google.com/iam-admin/orgpolicies)\n2. In the **Project Selector**, select the organization for which you want\n to revert the policy.\n\n3. In **Filter**, enter the following:\n\n Allowed Binary Authorization Policies (Cloud Run)\n\n4. To complete the selection, click **Open**.\n\n5. To edit the policy details, in **Policy details** , click **Edit**.\n\n6. In **Applies to** , select `Inherit parent's policy`.\n\n7. To save the organization policy, click **Save**.\n\n### gcloud\n\nTo revert the policy using `gcloud`, do the following: \n\n```\ngcloud resource-manager org-policies delete \\\n run.allowedBinaryAuthorizationPolicies \\\n --organization=ORGANIZATION_ID\n```\n\nReplace \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e with the numeric ID of the\norganization.\n\nThe command returns the following: \n\n Deleted [\u003cEmpty\u003e]\n\n\u003cbr /\u003e\n\nAlternatively, you can [view the org policy](#view_org_policy) and note that\nthe **Inheritance** is set to `Inherit`, instead of `custom` and there is no\ncustom value set.\n\nWhat's next\n-----------\n\n- [Enable Binary Authorization on a Cloud Run service](/binary-authorization/docs/run/enabling-binauthz-cloud-run)\n- [Deploy a prebuilt Cloud Run service](/run/docs/quickstarts/deploy-container)\n- [Configure a Binary Authorization policy](/binary-authorization/docs/configuring-policy-console)"]]
