In theProject Selectorat the top of the page, select the
project ID of the project in which you run
Cloud Run.
Enter the following in thesearch-querybox:
resource.type="cloud_run_revision"logName:"cloudaudit.googleapis.com%2Fsystem_event""encountered an error"
Select the time range in thetime-range selector.
To search within the log entries, clickExpand nested fields.
gcloud
To view fail open events from the past week in Cloud Logging using
the gcloud CLI, do the following:
gcloudloggingread--order="desc"--freshness=7d\'resource.type="cloud_run_revision" ANDlogName:"cloudaudit.googleapis.com%2Fsystem_event" AND"encountered an error"'
Query Cloud Logging for dry run events
Logs Explorer
To view dry run events in the Cloud Logging Logs Explorer, do the
following:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis guide details how to use Cloud Audit Logs to view Binary Authorization events for Cloud Run, including blocked deployments, breakglass events, fail-open events, and dry run events.\u003c/p\u003e\n"],["\u003cp\u003eYou can use the Logs Explorer within Cloud Logging to search for specific events by constructing queries that target the \u003ccode\u003ecloud_run_revision\u003c/code\u003e resource type, \u003ccode\u003ecloudaudit.googleapis.com%2Fsystem_event\u003c/code\u003e log name, and relevant event-specific strings, like "ContainerImageUnauthorized" for blocked deployments.\u003c/p\u003e\n"],["\u003cp\u003eThe guide also provides gcloud CLI commands to query for these events within the past week, using similar filters as those used in the Logs Explorer.\u003c/p\u003e\n"],["\u003cp\u003eBreakglass, which is a policy enforcement override, is a capability that can be tracked and identified using the string "breakglass" within the Logs Explorer or gcloud CLI queries.\u003c/p\u003e\n"],["\u003cp\u003eFail open events can be identified by searching for "encountered an error" in Cloud Logging, while dry run events are found using the term "dry run" in the same manner.\u003c/p\u003e\n"]]],[],null,["This guide shows you how to view Binary Authorization for\nCloud Run in Cloud Audit Logs.\n\nBlocked deployment events in Cloud Logging \n\nLogs Explorer\n\nTo view bocked deployment events in the Cloud Logging Logs Explorer, do\nthe following:\n\n1. Go to the Cloud Audit Logs Logs Explorer page:\n\n [Go to Logs Explorer](https://console.cloud.google.com/logs/viewer).\n2. In the **Project Selector** at the top of the page, select the\n Google Cloud project ID of the project in which you run\n Cloud Run.\n\n3. Enter the following query in the *search-query* box:\n\n resource.type=\"cloud_run_revision\"\n logName:\"cloudaudit.googleapis.com%2Fsystem_event\"\n protoPayload.response.status.conditions.reason=\"ContainerImageUnauthorized\"\n\n4. Select the time range in the *time-range selector*.\n\nTo search within the log entries, click **Expand nested fields**.\n\ngcloud\n\nTo view policy violation events from the past week in Cloud Logging using\nthe Google Cloud CLI, do the following: \n\n gcloud logging read --order=\"desc\" --freshness=7d \\\n 'resource.type=\"cloud_run_revision\" AND\n logName:\"cloudaudit.googleapis.com%2Fsystem_event\" AND\n protoPayload.response.status.conditions.reason=\"ContainerImageUnauthorized\"'\n\nBreakglass events in Cloud Logging\n\n[Breakglass](/binary-authorization/docs/run/using-breakglass-cloud-run)\nenables you to override Binary Authorization policy enforcement and deploy a\ncontainer image that violates the policy.\n\nQuery Cloud Logging for revisions with breakglass specified \n\nLogs Explorer\n\nTo view breakglass events in the Cloud Logging Logs Explorer, do the\nfollowing:\n\n1. Go to the Cloud Audit Logs Logs Explorer page:\n\n [Go to Logs Explorer](https://console.cloud.google.com/logs/viewer).\n2. In the **Project Selector** at the top of the page, select the\n project ID of the project in which you run\n Cloud Run.\n\n3. Enter the following in the *search-query* box:\n\n resource.type=\"cloud_run_revision\"\n logName:\"cloudaudit.googleapis.com%2Fsystem_event\"\n \"breakglass\"\n\n To further refine your search, add the following lines: \n\n resource.labels.service_name = \u003cvar translate=\"no\"\u003eSERVICE_NAME\u003c/var\u003e\n resource.labels.location = \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e\n\n [View breakglass deployments in Cloud Logging](https://console.cloud.google.com/logs/viewer?advancedFilter=resource.type%3D%22cloud_run_revision%22%0AlogName%3A%22cloudaudit.googleapis.com%252Factivity%22%0A%22breakglass%22)\n4. Select the time range in the *time-range selector*.\n\nTo search within the log entries, click **Expand nested fields**.\n\ngcloud\n\nTo view breakglass events from the past week in Cloud Logging using the\ngcloud CLI, do the following: \n\n gcloud logging read --order=\"desc\" --freshness=7d \\\n 'resource.type=\"cloud_run_revision\" AND\n logName:\"cloudaudit.googleapis.com%2Fsystem_event\" AND\n \"breakglass\"'\n\nQuery Cloud Logging fail open events \n\nLogs Explorer\n\nTo view fail open events in the Cloud Logging Logs Explorer, do the\nfollowing:\n\n1. Go to the Cloud Audit Logs Logs Explorer page:\n\n [Go to Logs Explorer](https://console.cloud.google.com/logs/viewer).\n2. In the **Project Selector** at the top of the page, select the\n project ID of the project in which you run\n Cloud Run.\n\n3. Enter the following in the *search-query* box:\n\n resource.type=\"cloud_run_revision\"\n logName:\"cloudaudit.googleapis.com%2Fsystem_event\"\n \"encountered an error\"\n\n4. Select the time range in the *time-range selector*.\n\nTo search within the log entries, click **Expand nested fields**.\n\ngcloud\n\nTo view fail open events from the past week in Cloud Logging using\nthe gcloud CLI, do the following: \n\n gcloud logging read --order=\"desc\" --freshness=7d \\\n 'resource.type=\"cloud_run_revision\" AND\n logName:\"cloudaudit.googleapis.com%2Fsystem_event\" AND\n \"encountered an error\"'\n\nQuery Cloud Logging for dry run events \n\nLogs Explorer\n\nTo view dry run events in the Cloud Logging Logs Explorer, do the\nfollowing:\n\n1. Go to the Cloud Audit Logs Logs Explorer page:\n\n [Go to Logs Explorer](https://console.cloud.google.com/logs/viewer).\n2. In the **Project Selector** at the top of the page, select the\n project ID of the project in which you run\n Cloud Run.\n\n3. Enter the following in the *search-query* box:\n\n resource.type=\"cloud_run_revision\"\n logName:\"cloudaudit.googleapis.com%2Fsystem_event\"\n \"dry run\"\n\n4. Select the time range in the *time-range selector*.\n\nTo search within the log entries, click **Expand nested fields**.\n\ngcloud\n\nTo view dry run deployment events from the past week in Cloud Logging using\nthe gcloud CLI, do the following: \n\n gcloud logging read --order=\"desc\" --freshness=7d \\\n 'resource.type=\"cloud_run_revision\" AND\n logName:\"cloudaudit.googleapis.com%2Fsystem_event\" AND\n \"dry run\"'\n\nWhat's next\n\n- Configure the Binary Authorization policy using the [Google Cloud console](/binary-authorization/docs/configuring-policy-console) or the [command-line tool](/binary-authorization/docs/configuring-policy-cli).\n\n- [Use attestations](/binary-authorization/docs/attestations) to deploy only signed container images."]]
