Restricting Access to Images

By default, users in your project can create persistent disks or copy images using any of the public images and any images that your project members can access through IAM roles. However, in some situations you might want to restrict your project members so that they can create boot disks only from images that contain approved software that meets your policy or security requirements. You can define an organization policy that allows your project members to create persistent disks only from images in specific projects.

Before you begin

Limitations

  • Trusted image policies do not restrict access to the following images:

    • Custom images in your local project.

    • Images that are available when you create instances through other Google Cloud Platform services, such as App Engine, Container Engine, or Cloud SQL.

    • Image files in Google Cloud Storage buckets.

  • Trusted image policies do not prevent users from creating image resources in their local projects.

Setting image access constraints

Enact an image access policy by setting a compute.trustedImageProjects constraint on your project, your organization, or your folder. You must have permission to modify organization policies to set these constraints. For example, the resourcemanager.organizationAdmin role has permission to set these constraints. Read the Introduction to the Organization Policy Service to learn more about managing policies at the organization level.

  1. Obtain the existing policy settings for your project.

    gcloud beta resource-manager org-policies describe \
        compute.trustedImageProjects --effective \
        --project [PROJECT_ID] > policy.yaml
    

    where [PROJECT_ID] is your project ID.

  2. Open the policy.yaml file in a text editor and modify the compute.trustedImageProjects constraint. Add the restrictions that you need or remove the restrictions that you no longer require. When you are done editing the file, save your changes. For example, you might set the following constraint entry in your policy file:

    constraint: constraints/compute.trustedImageProjects
    listPolicy:
      allowedValues:
        - projects/debian-cloud
        - projects/cos-cloud
      deniedValues:
        - projects/unwanted-images
    

    Optionally, you might want to deny access to all images outside of the custom images in your project. For that situation, use the following example:

    constraint: constraints/compute.trustedImageProjects
    listPolicy:
      allValues: DENY
    
  3. Apply the policy.yaml file to your project. If your organization or folder has existing constraints, those constraints might conflict with project-level constraints that you set.

    gcloud beta resource-manager org-policies set-policy
    --project [PROJECT_ID] policy.yaml
    

    where [PROJECT_ID] is your project ID.

When you are done configuring the constraints in your organization policy, test those constraints to ensure that they create the restrictions that you net.

What's next

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.

Send feedback about...

Compute Engine Documentation