Restrict resource usage for workloads

This page explains how to enable or disable restrictions for non-compliant resources in Assured Workloads folders. By default, each folder's control package determines which products are supported, thus determining which resources can be used. This functionality is enforced by the gcp.restrictServiceUsage organization policy constraint that is automatically applied on the folder when it is created.

Before you begin

Required IAM roles

To modify resource usage restrictions, the caller must be granted Identity and Access Management (IAM) permissions using either a predefined role that includes a wider set of permissions, or a custom role that is restricted to the minimum necessary permissions.

The following permissions are required on the target workload:

assuredworkloads.workload.update
orgpolicy.policy.set

These permissions are included in the following two roles:

Assured Workloads Administrator (roles/assuredworkloads.admin)
Assured Workloads Editor (roles/assuredworkloads.editor)

See IAM roles for more information about roles for Assured Workloads.

Enable resource usage restrictions

To enable resource usage restriction for a workload, run the following command. This command applies restrictions on the Assured Workloads folder in accordance with the control package's supported services:

curl  -d '{ "restrictionType": "ALLOW_COMPLIANT_RESOURCES" }' \
      -H "Content-Type: application/json" \
      -H "Authorization: Bearer TOKEN"   -X POST \
      "SERVICE_ENDPOINT/v1/organizations/ORGANIZATION_ID/locations/WORKLOAD_LOCATION/workloads/WORKLOAD_ID:restrictAllowedServices"

Replace the following placeholder values with your own:

TOKEN: The authentication token for the request, for example: ya29.a0AfB_byDnQW7A2Vr5...tanw0427

If you have the Google Cloud SDK installed in your environment and are authenticated, you can use the gcloud auth print-access-token command: -H "Authorization: Bearer $(gcloud auth print-access-token)" -X POST \
SERVICE_ENDPOINT: The desired service endpoint, for example: https://us-central1-assuredworkloads.googleapis.com
ORGANIZATION_ID: The unique identifier of the Google Cloud organization, for example: 12321311
WORKLOAD_LOCATION: The location of the workload, for example: us-central1
WORKLOAD_ID: The unique identifier of the workload, for example: 00-c25febb1-f3c1-4f19-8965-a25

After you replace the placeholder values, your request should look similar to the following example:

curl  -d '{ "restrictionType": "ALLOW_COMPLIANT_RESOURCES" }' \
      -H "Content-Type: application/json" \
      -H "Authorization: Bearer ya29.a0AfB_byDnQW7A2Vr5...tanw0427"   -X POST \
      "https://us-central1-assuredworkloads.googleapis.com/v1/organizations/12321311/locations/us-central1/workloads/00-c25febb1-f3c1-4f19-8965-a25:restrictAllowedServices"

If successful, the response will be empty.

Disable resource usage restriction

To disable resource usage restriction for a workload, run the following command. This command effectively removes all service and resource restrictions on the Assured Workloads folder:

curl  -d '{ "restrictionType": "ALLOW_ALL_GCP_RESOURCES" }' \
      -H "Content-Type: application/json" \
      -H "Authorization: Bearer TOKEN"   -X POST \
      "SERVICE_ENDPOINT/v1/organizations/ORGANIZATION_ID/locations/WORKLOAD_LOCATION/workloads/WORKLOAD_ID:restrictAllowedServices"

Replace the following placeholder values with your own:

TOKEN: The authentication token for the request, for example: ya29.a0AfB_byDnQW7A2Vr5...tanw0427

If you have the Google Cloud SDK installed in your environment and are authenticated, you can use the gcloud auth print-access-token command: -H "Authorization: Bearer $(gcloud auth print-access-token)" -X POST \
SERVICE_ENDPOINT: The desired service endpoint, for example: https://us-central1-assuredworkloads.googleapis.com
ORGANIZATION_ID: The unique identifier of the Google Cloud organization, for example: 12321311
WORKLOAD_LOCATION: The location of the workload, for example: us-central1
WORKLOAD_ID: The unique identifier of the workload, for example: 00-c25febb1-f3c1-4f19-8965-a25

After you replace the placeholder values, your request should look similar to the following example:

curl  -d '{ "restrictionType": "ALLOW_ALL_GCP_RESOURCES" }' \
      -H "Content-Type: application/json" \
      -H "Authorization: Bearer ya29.a0AfB_byDnQW7A2Vr5...tanw0427"   -X POST \
      "https://us-central1-assuredworkloads.googleapis.com/v1/organizations/12321311/locations/us-central1/workloads/00-c25febb1-f3c1-4f19-8965-a25:restrictAllowedServices"

If successful, the response will be empty.

Supported and unsupported products

The tables in this section include supported and unsupported products for various control packages. If you enable the default resource usage restrictions, then only the supported products can be used. If you disable resource usage restrictions, then both supported and unsupported products can be used.

FedRAMP Moderate

Endpoint	Supported products	Unsupported products
`aiplatform.googleapis.com`	Vertex AI	AI Platform Training and Prediction API

FedRAMP High

Endpoint Supported products Unsupported products

compute.googleapis.com


Compute Engine
Persistent Disk


AI Platform Training and Prediction API
Cloud CDN
Virtual Private Cloud
Cloud Interconnect
Cloud Load Balancing
Cloud NAT
Cloud Router
Cloud VPN
Google Cloud Armor
Network Service Tiers

Criminal Justice Information Services (CJIS)

Endpoint Supported products Unsupported products

accesscontextmanager.googleapis.com


VPC Service Controls


Access Context Manager

compute.googleapis.com


Virtual Private Cloud
Persistent Disk
Compute Engine


Cloud CDN
Cloud Interconnect
Cloud Load Balancing
Cloud NAT
Cloud Router
Cloud VPN
Google Cloud Armor
Network Service Tiers

cloudkms.googleapis.com


Cloud Key Management Service


Cloud HSM

Impact Level 4 (IL4)

Endpoint Supported products Unsupported products

compute.googleapis.com


Compute Engine
Persistent Disk


AI Platform Training and Prediction API
Cloud CDN
Virtual Private Cloud
Cloud Interconnect
Cloud Load Balancing
Cloud NAT
Cloud Router
Cloud VPN
Google Cloud Armor
Network Service Tiers

cloudkms.googleapis.com


Cloud Key Management Service


Cloud HSM

US Regions and Support

Endpoint Supported products Unsupported products

accesscontextmanager.googleapis.com


VPC Service Controls


Access Context Manager

compute.googleapis.com


Virtual Private Cloud
Persistent Disk
Compute Engine


Cloud CDN
Cloud Interconnect
Cloud Load Balancing
Cloud NAT
Cloud Router
Cloud VPN
Google Cloud Armor
Network Service Tiers

cloudkms.googleapis.com


Cloud Key Management Service


Cloud HSM

Service endpoints

This section lists the API endpoints that aren't blocked after you enable resource usage restriction.

API name	Endpoint URL
Cloud Asset API	`cloudasset.googleapis.com`
Cloud Logging API	`logging.googleapis.com`
Service Control	`servicecontrol.googleapis.com`
Cloud Monitoring API	`monitoring.googleapis.com`
Google Cloud Observability	`stackdriver.googleapis.com`
Security Token Service API	`sts.googleapis.com`
Identity and Access Management API	`iam.googleapis.com`
Cloud Resource Manager API	`cloudresourcemanager.googleapis.com`
Advisory Notifications API	`advisorynotifications.googleapis.com`
IAM Service Account Credentials API	`iamcredentials.googleapis.com`
Organization Policy Service API	`orgpolicy.googleapis.com`
Policy Troubleshooter API	`policytroubleshooter.googleapis.com`
Network Telemetry API	`networktelemetry.googleapis.com`
Service Usage API	`serviceusage.googleapis.com`
Service Networking API	`servicenetworking.googleapis.com`
Cloud Billing API	`cloudbilling.googleapis.com`
Service Management API	`servicemanagement.googleapis.com`
Identity Toolkit API	`identitytoolkit.googleapis.com`
Access Context Manager API	`accesscontextmanager.googleapis.com`
Service Consumer Management API	`serviceconsumermanagement.googleapis.com`

What's next

See the list of services that don't support resource usage restriction.
Learn which products are supported for each control package.