Control access to VM OS images for Batch

This page describes how to configure the trusted image policy constraint. This lets you control access to the operating system (OS) images that can be used to create the boot disks for any Compute Engine virtual machine (VM) instances.

By default, a user can use any public image or any custom image that is shared with them for the Compute Engine VMs that run their Batch jobs. If the trusted image policy constraint is not enabled and you don't want to restrict VM OS images, you can stop reading this document.

Enable the trusted image policy constraint if you want to require all the users in a project, folder, or organization to create VMs that contain approved software that meets your policy or security requirements. If the trusted image policy constraint is enabled, affected users can't run Batch jobs unless the VM OS image for their job is allowed. To create and run jobs when the trusted image policy constraint is enabled, do at least one of the following:

  • Have users specify a VM OS image that is already allowed.
  • Allow the default VM OS images from Batch, as shown in this document.

To learn more about VM OS images and boot disks, see VM OS environment overview. To learn about which policy constraints have been enabled for your project, folder, or organization, view your organization policies.

Before you begin

Allow images from Batch

The following steps describe how to modify the trusted image policy constraint to allow all VM OS images from Batch by using the Google Cloud console or Google Cloud CLI.

For more instructions on how to use the trusted image (compute.trustedImageProjects) policy constraint, see Setting up trusted image policies in the Compute Engine documentation.


  1. Go to the Organization policies page.

    Go to Organization policies

  2. From the policies list, click Define trusted image projects.

    The Policy details page opens.

  3. On the Policy details page, click Manage Policy. The Edit policy page opens.

  4. On the Edit policy page, select Customize.

  5. For Policy enforcement, select an enforcement option.

  6. Click Add rule.

  7. In the Policy values list, you can select whether to add a rule that allows access to all unspecified image projects, denies access to all unspecified image projects, or specifies a custom set of projects to allow or deny access to. To allow all images from Batch, do the following:

    1. In the Policy values list, select Custom. A Policy type and Custom values field appears.
    2. In the Policy type list, select Allow.
    3. In the Custom values field, enter projects/batch-custom-image.
  8. To save the rule, click Done.

  9. To save and apply the organization policy, click Save.


The following example describes how to allow images from Batch for a specific project:

  1. To get the existing policy settings for a project, run the resource-manager org-policies describe command:

    gcloud resource-manager org-policies describe \
       compute.trustedImageProjects --project=PROJECT_ID \
       --effective > policy.yaml

    Replace PROJECT_ID with the project ID of the project that you want to update.

  2. Open the policy.yaml file in a text editor. Then, modify the compute.trustedImageProjects constraint by adding projects/batch-custom-image to the allowedValues field. For example, to allow only VM OS images from Batch set the compute.trustedImageProjects constraint to the following:

    constraint: constraints/compute.trustedImageProjects
        - projects//batch-custom-image

    When you have finished editing the policy.yaml file, save your changes.

  3. To apply the policy.yaml file to your project, use the resource-manager org-policies set-policy command:

    gcloud resource-manager org-policies set-policy \
       policy.yaml --project=PROJECT_ID

    Replace PROJECT_ID with the project ID of the project that you want to update.

When you finish updating constraints, testing those constraints is recommended to verify that they are working as intended.

What's next