Stay organized with collections
Save and categorize content based on your preferences.
This page describes how to secure your software supply chain by configuring
Binary Authorization to allow only container images built by Cloud Build
to be deployed.
You configure this deployment control by requiring the built-by-cloud-build
attestor in your Binary Authorization policy. Cloud Build
automatically creates the built-by-cloud-build attestor in your project when
you run a build that generates images. After images are successfully built,
Cloud Build automatically signs and creates attestations for them. At
deploy time, Binary Authorization verifies the attestations with the
built-by-cloud-build attestor. Verified images are allowed to be deployed.
Images that fail verification are disallowed from being deployed, and the
failure is logged to Cloud Audit Logs.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis guide outlines how to secure your software supply chain using Binary Authorization to ensure only container images built by Cloud Build are deployable.\u003c/p\u003e\n"],["\u003cp\u003eCloud Build automatically creates a \u003ccode\u003ebuilt-by-cloud-build\u003c/code\u003e attestor and signs images, generating attestations upon successful builds.\u003c/p\u003e\n"],["\u003cp\u003eThe Binary Authorization policy can be configured via the Google Cloud console or gcloud to require the \u003ccode\u003ebuilt-by-cloud-build\u003c/code\u003e attestor, allowing only verified images to be deployed.\u003c/p\u003e\n"],["\u003cp\u003eDeployments of images that fail Binary Authorization verification are blocked, with the failure logged to Cloud Audit Logs for tracking and troubleshooting.\u003c/p\u003e\n"],["\u003cp\u003eTo use this feature, you must set up Binary Authorization and Cloud Build before configuring the policy and running builds.\u003c/p\u003e\n"]]],[],null,["# Deploy only images built by Cloud Build\n\nThis page describes how to secure your software supply chain by configuring\nBinary Authorization to allow only container images built by Cloud Build\nto be deployed.\n\nYou configure this deployment control by requiring the `built-by-cloud-build`\nattestor in your Binary Authorization policy. Cloud Build\nautomatically creates the `built-by-cloud-build` attestor in your project when\nyou run a build that generates images. After images are successfully built,\nCloud Build automatically signs and creates attestations for them. At\ndeploy time, Binary Authorization verifies the attestations with the\n`built-by-cloud-build` attestor. Verified images are allowed to be deployed.\nImages that fail verification are disallowed from being deployed, and the\nfailure is logged to Cloud Audit Logs.\n\nFor end-to-end guide that describes how to use Cloud Build-recorded\nmetadata and Binary Authorization, see [Using signed provenance and Binary Authorization](/build/docs/securing-builds/signed-provenance-with-binauthz).\n\nBefore you begin\n----------------\n\nTo use this feature you must first do the following:\n\n- [Set up Binary Authorization for your platform](/binary-authorization/docs/set-up-platform).\n- [Set up Cloud Build](/build/docs/set-up)\n and build an image.\n\n | **Note:** If your build specifies a [location](/build/docs/locations), an attestation is created only if you explicitly set [`requestedVerifyOption`](/build/docs/api/reference/rest/v1/projects.builds#verifyoption) to `VERIFY_REQUESTED`.\n\nConfigure the policy\n--------------------\n\nIn this section you configure the Binary Authorization policy to require the\n`built-by-cloud-build` attestor.\n\nTo allow only images built by Cloud Build to be deployed, perform the\nfollowing steps: \n\n### Console\n\n1. Go to the **Binary Authorization** page in the Google Cloud console:\n\n [Go to Binary Authorization](https://console.cloud.google.com/security/binary-authorization)\n2. In the **Policy** tab, click **Edit Policy**.\n\n3. In the **Edit Policy** dialog, select **Allow only images that have been\n approved by all of the following attestors**.\n\n4. Click **Add Attestors**.\n\n5. In the **Add attestors** dialog box, do the following:\n\n 1. Select **Add by project and attestor name** and perform the following steps:\n 1. In the **Project name** field, enter the project where you run Cloud Build.\n 2. Click the **Attestor name** field and note that the `built-by-cloud-build` attestor is available.\n 3. Click `built-by-cloud-build`.\n 2. Alternatively, select **Add by attestor resource ID** .\n In **Attestor resource ID**, enter\n\n projects/\u003cvar label=\"project ID\" class=\"edit\" translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/attestors/built-by-cloud-build\n\n Replacing \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with the project where you run\n Cloud Build.\n6. Click **Add 1 attestor**.\n\n7. Click **Save Policy**.\n\n### gcloud\n\n1. Export your existing policy to a file using the following command:\n\n gcloud container binauthz policy export \u003e /tmp/policy.yaml\n\n2. Edit your policy file.\n\n3. Edit one of the following rules:\n\n - `defaultAdmissionRule`\n - `clusterAdmissionRules`\n - `istioServiceIdentityAdmissionRules`\n - `kubernetesServiceAccountAdmissionRules`\n4. Add a `requireAttestationsBy` block to the rule if there isn't one there\n already.\n\n5. In the `requireAttestationsBy` block, add\n\n projects/\u003cvar label=\"project ID\" class=\"edit\" translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/attestors/built-by-cloud-build\n\n Replacing \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with the project where you run Cloud Build.\n6. Save the policy file.\n\n7. Import the policy file.\n\n gcloud container binauthz policy import /tmp/policy.yaml\n\n The following is an example policy file that contains the reference to the\n `built-by-cloud-build-attestor`: \n\n defaultAdmissionRule:\n evaluationMode: REQUIRE_ATTESTATION\n enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG\n requireAttestationsBy:\n - projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/attestors/built-by-cloud-build\n name: projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/policy\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with the project ID where you run\n Cloud Build.\n\nWhat's next\n-----------\n\n- Instead of disallowing images from deploying, you can [use dry-run mode](/binary-authorization/docs/enabling-dry-run) to log policy violations.\n- View audit log events for disallowed images on [Google Kubernetes Engine (GKE)](/binary-authorization/docs/viewing-audit-logs#blocked-deployments) or [Cloud Run](/binary-authorization/docs/run/viewing-audit-logs-cloud-run#blocked-deployments)."]]
