Managing access to custom images

To let users create, delete, use, or share your custom images, you must grant them the appropriate Identity and Access Management (IAM) roles. This document describes the required IAM permissions for creating and managing custom images and how to give them to users.

For general information about granting access to Compute Engine resources, see Managing access to Compute Engine resources. For information about IAM, read the IAM documentation.

Before you begin

Limitations

On images, you can't grant roles to the special member type allUsers.

Give permission to create custom images

You can give users the ability to create custom images in your organization or project.

Compute Engine offers the predefined Compute Storage Admin role (roles/compute.storageAdmin) that you can assign to users so that they can create, delete, and manage storage-related resources, including images, disks, and snapshots. If you need a role that allows for only image creation, you must create a custom role. In your custom role, include the following permissions:

  • compute.images.create to create new images
  • compute.images.list to list images in the project
  • compute.disks.use if the image is created from a disk
  • compute.disks.list if users need to list all disks in a project

If you give a user the ability to create custom images at the organization level, the user can create custom images for any project within the organization.

Console

  1. In the Google Cloud Console, go to the IAM & Admin page for the project or organization.

    Go to IAM & Admin

  2. To add a new member, click Add.

  3. In the New members field, enter the email address of the identity that you want to grant access to.

    For example:

    • Google Account email: test-user@gmail.com
    • Google group: admins@googlegroups.com
    • Service account: server@example.gserviceaccount.com
    • Google Workspace domain: example.com
  4. In the Select a role list, select Compute Engine > Compute Storage Admin, or select a custom role if you created one.

  5. Optional: To further control user's access to Google Cloud resources, add conditional role binding.

  6. Save your changes.

gcloud

To grant the roles/compute.storageAdmin role at an organization level, use the gcloud organizations add-iam-policy-binding command:

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
    --member='MEMBER' \
    --role='roles/compute.storageAdmin'

To grant the roles/compute.storageAdmin role at a project level, use the gcloud projects add-iam-policy-binding command:

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member='MEMBER' \
    --role='roles/compute.storageAdmin'

Replace the following:

  • ORGANIZATION_ID or PROJECT_ID: the organization ID or the project ID—for example, my-organization-1 or my-project-1
  • MEMBER: a valid identity to which you want to grant the role

    For example:

    • Google Account email: user:user@gmail.com
    • Google group: group:admins@googlegroups.com
    • Service account: serviceAccount:server@example.gserviceaccount.com
    • Google Workspace domain: domain:example.com

API

  1. Read the existing policy with the resource's getIamPolicy method. For projects, use the projects.getIamPolicy method.

    POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:getIamPolicy
    

    Replace PROJECT_ID with the project ID—for example, my-project-1.

    For organizations, use the organizations.getIamPolicy method.

    POST https://cloudresourcemanager.googleapis.com/v1/organizations/ORGANIZATION_ID:getIamPolicy
    

    Replace ORGANIZATION_ID with the organization ID—for example, 123456578920.

    Compute Engine returns the current policy in the response.

  2. To add or remove members and their associated roles, edit the policy with a text editor. Use the following format to add members:

    • user:test-user@gmail.com
    • group:admins@example.com
    • serviceAccount:test123@example.domain.com
    • domain:example.domain.com

    For example, to grant the roles/compute.storageAdmin role to group:admins@example.com, add the following binding to the policy:

    {
     "members": [
       "group:admins@example.com"
     ],
     "role":"roles/compute.storageAdmin"
    }
    
  3. Write the updated policy by using the setIamPolicy method.

    For example, to set a policy at the project level, use the project.setIamPolicy method. In the body of the request, provide the updated IAM policy from the previous step.

    POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:setIamPolicy
    

    Replace the PROJECT_ID with the project ID.

Give permissions to delete custom images

Depending on your needs, you can give users permission to do the following:

  • Delete a specific image
  • Delete images owned by a specific project
  • Delete images for any project in an organization

Giving permission at the project level lets users delete all images owned by that project. Giving permission at the organization level lets the user delete any images owned by that organization, regardless of the project.

Compute Engine offers the predefined Compute Storage Admin role (roles/compute.storageAdmin) that you can assign to users so that they can create, delete, and manage storage-related resources, including images, disks, and snapshots. If you need a role that allows for only image deletion, you must create a custom role. In your custom role, include the following permissions:

  • compute.images.delete to delete images
  • compute.images.list if users need to list images in the project or organization
  • compute.images.get to get the images

Console

To give permission to delete specific images, do the following:

  1. In the Cloud Console, go to the Images page.

    Go to Images

  2. Select the images that you want to give permissions to.

  3. To expand the permissions column, click Show info panel.

  4. To add one or more members, click Add members.

  5. In the New members field, enter the email address of the identity you want to share the image with.

    For example:

    • Google Account email: test-user@gmail.com
    • Google group: admins@googlegroups.com
    • Service account: server@example.gserviceaccount.com
    • Google Workspace domain: example.com
  6. In the Role list, hold the pointer over Compute Engine and select Storage Admin, or select a custom role from the Custom list.

  7. Optional: To further control user's access to Google Cloud resources, add conditional role binding.

  8. Save your changes.

To give permission to delete images for a project or organization, do the following:

  1. Go to the IAM & Admin page for the project or organization.

    Go to IAM & Admin

  2. Click Add.

  3. In the New members field, enter the email address of the identity you want to grant access to. For example:

    • Google Account email: test-user@gmail.com
    • Google group: admins@googlegroups.com
    • Service account: server@example.gserviceaccount.com
    • Google Workspace domain: example.com
  4. In the Role list, hold the pointer over Compute Engine and select Storage Admin, or select a custom role from the Custom list.

  5. Optional: To further control user's access to Google Cloud resources, add conditional role binding.

  6. Save your changes.

gcloud

To give permissions to delete images at the organization level, use the gcloud organizations add-iam-policy-binding command:

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
    --member='MEMBER' \
    --role='ROLE'

To give permissions to delete images on a project level, use the gcloud projects add-iam-policy-binding command:

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member='MEMBER' \
    --role='ROLE'

To give permissions to delete a specific image, use the gcloud compute images add-iam-policy-binding command:

gcloud compute images add-iam-policy-binding IMAGE_NAME \
    --member='MEMBER' \
    --role='ROLE'

Replace the following:

  • ORGANIZATION_ID or PROJECT_ID or IMAGE_NAME: the 12-digit numeric organization ID, the project ID, or the image name—for example, 123456578920, my-project-1, or my-custom-image
  • MEMBER: a valid identity to which you want to grant the role

    For example:

    • Google Account email: user:user@gmail.com
    • Google Group: group:admins@googlegroups.com
    • Service account: serviceAccount:server@example.gserviceaccount.com
    • Google Workspace domain: domain:example.com
  • ROLE: the role to assign to this identity—for example, the roles/compute.storageAdmin role, or a custom role such as roles/customImageDeletionRole

API

  1. Read the existing policy with the resource's respective getIamPolicy method. For projects, use the projects.getIamPolicy method:

    POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:getIamPolicy
    

    Replace PROJECT_ID with the project ID.

    For organizations, use the organizations.getIamPolicy method:

    POST https://cloudresourcemanager.googleapis.com/v1/organizations/ORGANIZATION_ID:getIamPolicy
    

    Replace ORGANIZATION_ID with the 12-digit numeric organization ID.

    For a specific image, use the images.getIamPolicy method:

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/images/IMAGE_NAME:getIamPolicy
    

    Replace the following:

    • PROJECT_ID: the project ID
    • IMAGE_NAME: the name of the image

    Compute Engine returns the current policy in the response.

  2. To add or remove members and their associated roles, you can edit the policy with a text editor. Use the following format to add members:

    • user:test-user@gmail.com
    • group:admins@example.com
    • serviceAccount:test123@example.domain.com
    • domain:example.domain.com

    For example, to grant the roles/compute.storageAdmin role to user:test-email@example.com, add the following binding to the policy:

    {
     "members": [
       "user:test-email@example.com"
     ],
     "role":"roles/compute.storageAdmin"
    }
    
  3. Write the updated policy by using the setIamPolicy method.

    For example, to set a policy at a project level, use the project.setIamPolicy method. In the body of the request, provide the updated IAM policy from the previous step.

    POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:setIamPolicy
    

    Replace PROJECT_ID with the project ID.

Share custom images within an organization

If your project belongs to an organization, the organization can have several other projects with varying levels of access to other projects. When you create custom images, you can share these images with other users from other projects within the organization.

Compute Engine offers the following predefined IAM roles that you can use for image management:

  • Compute Image User (roles/compute.imageUser): permission to list, read, and use images in your requests, without having other permissions on the image
  • Compute Storage Admin (roles/compute.storageAdmin): permissions to create, modify, and delete disks, images, and snapshots

Alternatively, you can also create your own custom IAM role.

As a best practice, we recommend that you keep all your custom images in a single project dedicated to host these images. This practice improves the management of those images, and lets you grant specific teams access to only the images that they need. You can also grant teams access to the entire image project, but because team access to the entire image project violates the principle of least privilege, we do not recommend it.

The example below shows how to add a group so that users of that group have access to the image.

Console

  1. In the Cloud Console, go to the Images page.

    Go to Images

  2. Select the image that you want to share with other users.

  3. To expand the permissions column, click Show info panel.

  4. To add one or more members, click Add members.

  5. In the New members field, enter the email address of the identity you want to share the image with.

    For example:

    • Google Account email: test-user@gmail.com
    • Google group: admins@googlegroups.com
    • Service account: server@example.gserviceaccount.com
    • Google Workspace domain: example.com
  6. In the Role list, hold the pointer over Compute Engine and select Image User or Storage Admin, or select a custom role.

  7. Optional: To further control user's access to Google Cloud resources, add conditional role binding.

  8. Save your changes.

To let users launch shared custom images from the Cloud Console, grant users the Viewer IAM role (roles/viewer) for the image project. Granting this role helps ensure that the shared images appear in the image selection list.

  1. In the Cloud Console, go to the IAM & Admin page.

    Go to IAM & Admin

  2. Click Add.

  3. In the New members field, enter the email address of the identity you want to share the image with. For example:

    • Google Account email: test-user@gmail.com
    • Google group: admins@googlegroups.com
    • Service account: server@example.gserviceaccount.com
    • Google Workspace domain: example.com
  4. In the Role list, hold the pointer over Project and select Viewer.

  5. Optional: To further control user's access to Google Cloud resources, add conditional role binding.

  6. Save your changes.

gcloud

To update the IAM policy for a specific image, use the gcloud compute images add-iam-policy-binding command:

gcloud compute images add-iam-policy-binding IMAGE_NAME \
    --member='MEMBER' \
    --role='ROLE'

Replace the following:

  • IMAGE_NAME: the name of the image—for example, custom-centos-8
  • MEMBER: a valid identity for which you want to grant the role

    For example:

    • user:test-user@gmail.com
    • group:admins@example.com
    • serviceAccount:test123@example.domain.com
    • domain:example.domain.com
  • ROLE: the role to assign this identity to, such as roles/compute.imageUser, roles/compute.storageAdmin, or a custom role

Optionally, to let users see these shared images in their images.list requests, grant users the Viewer IAM role (roles/viewer) for the image project by using the gcloud projects add-iam-policy-binding command. If you don't need your users to be able to view the list of shared images, you can skip this step.

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member='MEMBER' \
    --role='roles/viewer'

API

  1. Read the existing policy with the resource's getIamPolicy method. For example, to get the policy on a specific image, use the images.getIamPolicy method:

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/images/IMAGE_NAME:getIamPolicy
    

    Replace the following:

    • PROJECT_ID: the project ID of the project this image belongs to
    • IMAGE_NAME: the name of the image

    Compute Engine returns the current policy in the response.

  2. To add or remove members and their associated roles, edit the policy with a text editor. Use the following format to add members:

    • user:test-user@gmail.com
    • group:admins@example.com
    • serviceAccount:test123@example.domain.com
    • domain:example.domain.com

    For example, to grant roles/compute.imageUser to test-email@example.com, add the following binding to the policy:

    {
     "members": [
       "user:test-email@example.com"
     ],
     "role":"roles/compute.imageUser"
    }
    
  3. Write the updated policy by using the setIamPolicy method. For example, to set policy on a specific image, use the project.setIamPolicy method. In the body of the request, provide the updated IAM policy from the previous step.

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/images/IMAGE_NAME:setIamPolicy
    

    Replace the following:

    • PROJECT_ID: the project ID of the project this image belongs to
    • IMAGE_NAME: the name of the image

Optionally, to let users see these shared images in their images.list requests, grant users the Viewer IAM role (roles/viewer) for the image project by using the projects.setIamPolicy method. If you don't need your users to be able to view the list of shared images, you can skip this step.

POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:setIamPolicy

Share custom images between organizations

Creating a catalog of custom images can be useful for sharing images with partners, users, or contractors that are outside of your organization. To share your images with users outside of the organization, add them as Image Users to your project:

Console

  1. In the Cloud Console, go to the Images page.

    Go to Images

  2. Select the image that you want to share with other users.

  3. To expand the permissions column, click Show info panel.

  4. To add one or more members, click Add members.

  5. In the New members field, enter the email address of the group you want to share the image with. For example, admins@example.com.

  6. In the Role list, hold the pointer over Compute Engine and select Compute Image User.

  7. Optional: To further control user's access to Google Cloud resources, add conditional role binding.

  8. Save your changes.

To let users launch shared custom images from the Cloud Console, grant users the Viewer IAM role (roles/viewer) for the image project. Granting this role helps ensure that the shared images appear in the image selection list.

  1. In the Cloud Console, go to the IAM & Admin page.

    Go to IAM & Admin

  2. Click Add.

  3. In the New members field, enter the email address of the identity you want to share the image with. For example, admins@example.com.

  4. In the Role list, hold the pointer over Project and select Viewer.

  5. Optional: To further control user's access to Google Cloud resources, add conditional role binding.

  6. Save your changes.

gcloud

To grant the roles/compute.imageUser role to users, use the gcloud compute images add-iam-policy-binding command:

gcloud compute images add-iam-policy-binding IMAGE_NAME \
    --member='MEMBER' \
    --role='roles/compute.imageUser'

Replace the following:

  • IMAGE_NAME: the name of the image—for example, custom-centos-8
  • MEMBER: a valid identity for which you want to grant the role—for example, group:admins@example.com

Optionally, to let users see these shared images in their images.list requests, grant users the Viewer IAM role (roles/viewer) for the image project by using the gcloud projects add-iam-policy-binding command. If you don't need your users to be able to view the list of shared images, you can skip this step.

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member='MEMBER' \
    --role='roles/viewer'

API

  1. Read the existing policy with the resource's getIamPolicy method. For example, to get the policy on a specific image, use the images.getIamPolicy method:

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/images/IMAGE_NAME:getIamPolicy
    

    Replace the following:

    • PROJECT_ID: the project ID of the project this image belongs to
    • IMAGE_NAME: the name of the image

    Compute Engine returns the current policy in the response.

  2. To add or remove members and their associated roles, you can edit the policy with a text editor. Use the following format to add members:

    • user:test-user@gmail.com
    • group:admins@example.com
    • serviceAccount:test123@example.domain.com
    • domain:example.domain.com

    For example, to grant roles/compute.imageUser to test-user@example.com, add the following binding to the policy:

    {
      "members": [
        "user:test-user@example.com"
      ],
      "role":"roles/compute.imageUser"
    }
    
  3. Write the updated policy by using the setIamPolicy method. For example, to set a policy on a specific image, use the images.setIamPolicy method. In the body of the request, provide the updated IAM policy from the previous step.

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/images/IMAGE_NAME:setIamPolicy
    

    Replace the following:

    • PROJECT_ID: the project ID of the project this image belongs to
    • IMAGE_NAME: the name of the image

    Optionally, to let users see these shared images in their images.list requests, grant users the Viewer IAM role (roles/viewer) for the image project by using the projects.setIamPolicy method. If you don't need your users to be able to view the list of shared images, you can skip this step.

    POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:setIamPolicy
    

Share custom images publicly

You can share your custom images with all authenticated Compute Engine users, regardless of whether they are part of your organization or project.

You can only share resources, such as images, with all authenticated users; you cannot share projects or organizations with all authenticated users. This restriction, and the resource hierarchy, helps prevent an organization from inadvertently sharing their entire project with all authenticated Compute Engine users.

The following example shows how to grant all authenticated Compute Engine users the Compute Image User role (roles/compute.imageUser) to a custom image.

gcloud

To make images public, use the gcloud compute images add-iam-policy-binding command:

gcloud compute images add-iam-policy-binding IMAGE_NAME \
    --member='allAuthenticatedUsers' \
    --role='roles/compute.imageUser'

Replace IMAGE_NAME with the name of the resource—for example, my_image.

API

  1. Read the existing policy with the getIamPolicy method. For example, to get the policy on a specific image, use the images.getIamPolicy method:

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/images/IMAGE_NAME:getIamPolicy
    

    Replace the following:

    • PROJECT_ID: the project ID of the project this image belongs to
    • IMAGE_NAME: the name of the image

    Compute Engine returns the current policy in the response.

  2. To add or remove members and their associated roles, edit the policy with a text editor:

    {
     "members": [
       "allAuthenticatedUsers"
     ],
     "role":"roles/compute.imageUser"
    }
    
  3. Write the updated policy by using the setIamPolicy method. For example, to set a policy on a specific image, use the images.setIamPolicy method. In the body of the request, provide the updated IAM policy from the previous step.

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/images/IMAGE_NAME:setIamPolicy
    

    Replace the following:

    • PROJECT_ID: the project ID of the project this image belongs to
    • IMAGE_NAME: the name of the image

Grant a managed instance group access to images

Compute Engine lets you create groups of VMs, either as managed or unmanaged instance groups. If you create a managed instance group (MIG), Compute Engine uses the Google APIs Service Agent to call the Compute Engine API and perform actions related to the group, such as recreating unhealthy VMs and updating VMs.

If you want to create a MIG using an image from another project, grant the Compute Image User role (roles/compute.imageUser) to the APIs service account belonging to the project that creates the MIG. For example:

  1. Project A wants to create a MIG using images owned by Project B.
  2. Project B grants Project A's service account the Compute Image User role.
  3. Project A can now use images from Project B to create MIGs.

After granting the Compute Image User role, you can access the image from the other projects by using the console or the image's URL when you create the instance template for the managed group.

Get the email address of the service account

  1. In the Cloud Console, go to the IAM page of the project whose service account you want to grant access to.

    Go to IAM

  2. If prompted, select your project from the list.

  3. Look for the Google APIs Service Agent, which has the email address in the following format:

    PROJECT_NUMBER@cloudservices.gserviceaccount.com
    

After retrieving the email address of the service account, you can go to one of the following sections:

Grant a MIG access to all images in a project

Now that you have the email address of a service account, you can add the address to another project and grant it the Compute Image User role (roles/compute.imageUser).

Console

  1. In the Google Cloud Console, go to the IAM & Admin page of the image project.

    Go to IAM & Admin

  2. To add a new member, click Add.

  3. In the New members field, add the service account email address.

  4. In the Role list, hold the pointer over Compute and select Compute Image User.

  5. Optional: To further control user's access to Google Cloud resources, add conditional role binding.

  6. Click Save.

  7. Switch back to the service account's project.

You can now create an instance template based on an image from the image project and create a MIG based on the instance template.

gcloud

Add a service account from image project using the gcloud projects add-iam-policy-binding command:

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member='serviceAccount:SERVICE_ACCOUNT_EMAIL' --role='roles/compute.imageUser'

Replace the following:

  • PROJECT_ID: the ID of the project containing images you want to share
  • SERVICE_ACCOUNT_EMAIL: the email of the service account

You can now create an instance template based on an image from the image project and create a MIG based on the instance template.

API

  1. Get the IAM policy of the image project, by using the projects.getIamPolicy method:

     POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:getIamPolicy
     

    Replace PROJECT_ID with the project ID of the image project.

  2. To grant the roles/compute.imageUser role to the service account, edit the policy with a text editor:

    {
      "bindings": [
         {
          "role": "roles/compute.imageUser",
          "members": [
            "serviceAccount:SERVICE_ACCOUNT_EMAIL"
          ]
        }
      ]
    }
    

    Replace the SERVICE_ACCOUNT_EMAIL with the service account email.

  3. Write the updated policy by using the projects.setIamPolicy. In the body of the request, provide the updated IAM policy from the previous step.

    POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:setIamPolicy
    

    Replace PROJECT_ID with the product ID of the image project.

    You can now create an instance template based on an image from the image project and create a MIG based on the instance template.

Grant a MIG access to specific images in a project

Now that you have the email address of a service account, you can add the address to another project and grant the Compute Image User role (roles/compute.imageUser) for certain images.

Console

  1. In the Cloud Console, go to the Images page of the image project.

    Go to Images

  2. Select the checkboxes next to the images you want to share.

  3. To expand the permissions column, click Show info panel.

  4. In the Permissions panel, click Add members.

  5. In the New members field, enter the service account email that you want to share the image with. For example, test123@example.domain.com.

  6. In the Role list, choose Compute and select Compute Image User.

  7. Optional: To further control user's access to Google Cloud resources, add conditional role binding.

  8. Click Save.

  9. Switch back to the service account's project.

You can now create an instance template based on an image from the image project and create a MIG based on the instance template.

gcloud

To grant a service account access to a specific image, use the gcloud compute images add-iam-policy-binding command:

gcloud compute images add-iam-policy-binding IMAGE_NAME \
    --member='serviceAccount:SERVICE_ACCOUNT_EMAIL' \
    --role='roles/compute.imageUser'

Replace the following:

  • IMAGE_NAME: the image name you want to share
  • SERVICE_ACCOUNT_EMAIL: the email of the service account

You can now create an instance template based on an image from the image project and create a MIG based on the instance template.

API

  1. Get the IAM policy of an image by using the images.getIamPolicy method:

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/images/IMAGE_NAME:getIamPolicy
    

    Replace the following:

    • PROJECT_ID: the project ID of the image project
    • IMAGE_NAME: the name of the image you want to share
  2. To grant the roles/compute.imageUser role to the service account, edit the policy with a text editor:

    {
      "bindings": [
         {
          "role": "roles/compute.imageUser",
          "members": [
            "serviceAccount:SERVICE_ACCOUNT_EMAIL"
          ]
        }
      ]
    }
    

    Replace the SERVICE_ACCOUNT_EMAIL with the service account email.

  3. Write the updated policy by using the images.setIamPolicy method. In the body of the request, provide the updated IAM policy from the previous step.

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/images/IMAGE_NAME:setIamPolicy
    

    Replace the following:

    • PROJECT_ID: the project ID of the image project
    • IMAGE_NAME: the name of the image you want to share

    You can now create an instance template based on an image from the image project and create a MIG based on the instance template.

Control the use of your shared images and snapshots

After sharing your images with other users, you can control where those users employ those resources within your organization. Set the constraints/compute.storageResourceUseRestrictions constraint to define the projects where users are permitted to use your storage resources.

You must have permission to modify your organization's policies to set these constraints. For example, the resourcemanager.organizationAdmin role has permission to set these constraints.

  1. Find the organization ID for your organization by using the gcloud organization list command:

    gcloud organizations list
    
  2. Get the existing policy settings for your organization by using the gcloud resource-manager org-policies describe:

    gcloud resource-manager org-policies describe \
        compute.storageResourceUseRestrictions \
        --organization ORGANIZATION_ID > org-policy.yaml
    

    Replace ORGANIZATION_ID with your 12-digit numeric organization ID.

  3. Open the org-policy.yaml file in a text editor and modify the compute.storageResourceUseRestrictions constraint. Add the restrictions that you need, or remove the restrictions that you no longer require. When you finish editing the file, save your changes. For example, you might set the following constraint entry in your policy file:

    constraint: compute.storageResourceUseRestrictions
    listPolicy:
      allowedValues:
        - under:organization/organization-id
    
  4. Apply the policy.yaml file to your organization by using the gcloud resource-manager org-policies set-policy:

    gcloud resource-manager org-policies set-policy \
       --organization=ORGANIZATION_ID org-policy.yaml
    

    Replace ORGANIZATION_ID with your 12-digit numeric organization ID.

When you finish configuring the constraints in your organization policy, test those constraints to ensure that they create the restrictions that you want.

Use images from another project

If someone grants you access to one or more images in another project, you can access these images in the project by specifying the image project in your requests.

For example, to create a VM using a shared image from another project, follow these steps:

Console

  1. Go to the VM instances page.

    Go to VM instances

  2. Select your project and click Continue.
  3. Click Create instance.
  4. Specify a Name for your VM. See Resource naming convention.
  5. Optional: change the Zone for this VM. Compute Engine randomizes the list of zones within each region to encourage use across multiple zones.
  6. Select a Machine configuration for your VM.
  7. In the Boot disk section, click Change to configure your boot disk. Then, follow these steps:
    1. Select the Custom Images tab.
    2. Select the image project from the Show images from drop-down list.
    3. Select the image you want from the Images drop-down list.
    4. Click Select.
  8. To permit HTTP or HTTPS traffic to the VM, select Allow HTTP traffic or Allow HTTPS traffic.

    The Cloud Console adds a network tag to your VM and creates the corresponding ingress firewall rule that allows all incoming traffic on tcp:80 (HTTP) or tcp:443 (HTTPS). The network tag associates the firewall rule with the VM. For more information, see Firewall rules overview in the Virtual Private Cloud documentation.

  9. Click Create to create and start the VM.

gcloud

Create a VM by using the gcloud compute instances create command, and use the --image and --image-project flags to specify the image name and the project where the image resides:

 gcloud compute instances create VM_NAME \
        --image=IMAGE \
        --image-project=IMAGE_PROJECT
    

Replace the following:

  • VM_NAME: name for the new VM
  • IMAGE: name of the image
  • IMAGE_PROJECT: project to which the image belongs

If the command is successful, gcloud responds with the properties of the new VM:

    Created [https://compute.googleapis.com/compute/v1/projects/myproject/zones/us-central1-b/instances/example-instance].
    NAME                 ZONE           MACHINE_TYPE   PREEMPTIBLE  INTERNAL_IP  EXTERNAL_IP    STATUS
    example-instance     us-central1-b  e2-standard-2               10.240.0.4   104.198.53.60  RUNNING

API

Follow the API instructions to create a VM from a public image, but specify the image field in the request body. To add blank disks, don't specify an image source. You can optionally specify the diskSizeGb, diskType, and labels properties.

    [...
    image: "projects/PROJECT_ID/global/images/IMAGE_NAME
    {
     "initializeParams": {
        "diskSizeGb": "SIZE_GB",
        "sourceImage": "IMAGE"
           }
     }
     ...]

Replace the following:

  • PROJECT_ID: project containing the image
  • IMAGE_NAME: source image
  • SIZE_GB: disk size
  • IMAGE: source image for the non-boot disk
  • For blank disks, don't specify an image source.

You can also create boot persistent disks from images in another project. For information about creating a boot disk from an image, see Creating a standalone boot persistent disk.

Revoke access to shared images

After a user no longer needs access to your Compute Engine resources, revoke their access by using the Cloud Console, the gcloud command-line tool, or the Compute Engine API.

Console

  1. In the Cloud Console, go to the Images page of the image project.

    Go to Images

  2. Select the checkboxes next to the images you want to update.

  3. To expand the permissions column, click Show info panel.

  4. Expand the role for which you want to remove users.

  5. To remove a user from that role, click Delete.

gcloud

To remove a user from a role on an image, use the gcloud compute images remove-iam-policy-binding command with the --member and --role flags:

gcloud compute images remove-iam-policy-binding IMAGE_NAME \
    --member='MEMBER' \
    --role='ROLE'

Replace the following:

  • IMAGE_NAME: the name of the image—for example, my_image
  • MEMBER: the identity you want to remove

    Must be of the form user|group|serviceAccount:email or domain:domain. For example:

    • user:test-user@gmail.com
    • group:admins@example.com
    • serviceAccount:test123@example.domain.com
    • domain:example.domain.com
  • ROLE: the role from which you want to remove the identity

If you are revoking access to a resource that is in beta, use a gcloud beta compute command instead.

API

  1. Read the existing policy with the images.getIamPolicy method:

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/images/IMAGE_NAME:getIamPolicy
    

    Replace the following:

    • PROJECT_ID: the project ID this image belongs to
    • IMAGE_NAME: the name of the image

    Compute Engine returns the current policy in the response.

  2. To remove members and their associated roles, edit the policy with a text editor.

  3. Write the updated policy by using the images.setIamPolicy method. In the body of the request, provide the updated IAM policy from the previous step.

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/global/images/IMAGE_NAME:setIamPolicy
    

    Replace the following:

    • PROJECT_ID: the project ID this image belongs to
    • IMAGE_NAME: the name of the image

What's next