	In Browser
	StumbleUpon
	del.icio.us
	Google
	Google Buzz
	reddit
	LinkedIn

	Facebook
	Twitter
	Linkedin
	E-Mail

Cloud Platforms > Google Cloud Platform (GCP) > Binary Authorization

Binary Authorization

Author: Venkata Sudhakar

Google Binary Authorization is a deploy-time security control that ensures only trusted container images are deployed to GKE or Cloud Run. It works by requiring cryptographic attestations that images have passed required security checks before they can be deployed.

Key Features:

1. Attestation-based - Requires signed attestations from authorized attestors before allowing deployment.

2. Policy enforcement - Define policies that specify which images and attestors are trusted.

3. CI/CD integration - Integrate with Cloud Build to automatically attest images after security checks pass.

4. Break-glass - Emergency bypass mechanism with full audit trail for production incidents.

5. Dry-run mode - Test policies without blocking deployments to validate before enforcing.

The below example shows how to set up Binary Authorization with an attestor and policy.

# Create a note in Container Analysis (used for attestations)
gcloud beta container binauthz attestors create my-attestor \
  --attestation-authority-note=my-attestor-note \
  --attestation-authority-note-project=my-project

# Create a key pair for signing attestations
gcloud kms keyrings create binauthz-keyring --location=global
gcloud kms keys create binauthz-key \
  --keyring=binauthz-keyring \
  --location=global \
  --purpose=asymmetric-signing \
  --default-algorithm=rsa-sign-pkcs1-4096-sha512

# Add the public key to the attestor
gcloud beta container binauthz attestors public-keys add \
  --attestor=my-attestor \
  --keyversion-project=my-project \
  --keyversion-location=global \
  --keyversion-keyring=binauthz-keyring \
  --keyversion-key=binauthz-key \
  --keyversion=1

# Create attestation for an image after security checks pass
IMAGE_DIGEST="sha256:abc123..."
gcloud beta container binauthz attestations sign-and-create \
  --artifact-url="gcr.io/my-project/my-app@${IMAGE_DIGEST}" \
  --attestor=my-attestor \
  --attestor-project=my-project \
  --keyversion-project=my-project \
  --keyversion-location=global \
  --keyversion-keyring=binauthz-keyring \
  --keyversion-key=binauthz-key \
  --keyversion=1

It gives the following output,

Attestor [my-attestor] created.
Key added to attestor successfully.

Attestation created for:
  Image: gcr.io/my-project/my-app@sha256:abc123...
  Attestor: my-attestor
  Status: SIGNED

Deployment to GKE: ALLOWED (attestation verified)

Binary Authorization Workflow:

1. Developer pushes code to Cloud Source Repositories or GitHub.

2. Cloud Build triggers and runs tests, vulnerability scans, and compliance checks.

3. If all checks pass, Cloud Build creates a cryptographic attestation.

4. When deploying to GKE, Binary Authorization policy verifies the attestation exists.

5. If attestation is missing or invalid, deployment is blocked.

Send your comments, suggestions or queries regarding this site to [email protected].