Setting up trusted image policies

By default, users in your project can create persistent disks or copy images using any of the public images and any images that your project members can access through IAM roles. However, in some situations you might want to restrict your project members so that they can create boot disks only from images that contain approved software that meets your policy or security requirements.

Use the Trusted image feature to define an organization policy that allows your project members to create persistent disks only from images in specific projects.

To restrict the locations where your images can be used, read restricting use of your shared images, disks, and snapshots.

Before you begin

If you want to use the command-line examples in this guide:
1. Install or update to the latest version of the gcloud command-line tool.
2. Set a default region and zone.
If you want to use the API examples in this guide, set up API access.
Read the Using constraints page to learn about managing policies at organization level.
Read the Understanding hierarchy evaluation page to learn how organization policies propagate.

Limitations

Trusted image policies do not restrict access to the following images:
- Custom images in your local project.
- Image files in Cloud Storage buckets.
Trusted image policies do not prevent users from creating image resources in their local projects.

Set image access constraints

Enact an image access policy by setting a compute.trustedImageProjects constraint on your project, your folder, or your organization. You must have permission to modify organization policies to set these constraints. For example, roles/orgpolicy.policyAdmin has permission to set these constraints.

For more information about managing policies at the project, folder, or organization level, see Using constraints.

Console

For example, to set a constraint at the project level, do the following:

Go to the Organization policies page.
Go to Organization Policies
In the policies list, click Define trusted image projects.
Click Edit to edit your existing trusted image constraints.
Set constraints to allow or deny one or more projects from which your project can obtain images.

The allowed and denied list of publisher projects is a list of strings in the projects/PROJECT_ID format. Here, PROJECT_ID is the identifier of the project that you want to mark as a trusted source for images.

If your organization or folder has existing constraints, those constraints might conflict with project-level constraints that you set.
Click Save to apply the constraint settings.

gcloud

For example, to set a constraint at the project level, do the following:

Get the existing policy settings for your project by using the resource-manager org-policies describe command.
```
gcloud resource-manager org-policies describe \
   compute.trustedImageProjects --project=PROJECT_ID \
   --effective > policy.yaml
```
Replace PROJECT_ID with your project ID.
Open the policy.yaml file in a text editor and modify the compute.trustedImageProjects constraint. Add the restrictions that you need and remove the restrictions that you no longer require. When you have finished editing the file, save your changes. For example, you might set the following constraint entry in your policy file:
```
constraint: constraints/compute.trustedImageProjects
listPolicy:
 allowedValues:
    - projects/debian-cloud
    - projects/cos-cloud
 deniedValues:
    - projects/IMAGE_PROJECT
```
Replace IMAGE_PROJECT with the name of the image project that you want to restrict in your project. You can restrict the following image projects on Compute Engine:
- Compute Engine public images. For a list of image project names, see Operating systems details.
- Deep learning VM images. Deep Learning VM images belong to a single image project, deeplearning-platform-release.
Optionally, you might want to deny access to all images outside of the custom images in your project. For that situation, use the following example:
```
constraint: constraints/compute.trustedImageProjects
listPolicy:
 allValues: DENY
```
Apply the policy.yaml file to your project. If your organization or folder has existing constraints, those constraints might conflict with project-level constraints that you set. To apply the constraint, use the resource-manager org-policies set-policy command.
```
gcloud resource-manager org-policies set-policy \
   policy.yaml --project=PROJECT_ID
```
Replace PROJECT_ID with your project ID.

When you have finished configuring the constraints, test those constraints to ensure that they create the restrictions that you need.

What's next

Learn more about the Organization Policy Service.
See what public images are available for you to use by default.
Share your private image with other projects.
Learn how to restrict use of your shared images, disks, and snapshots.
Learn how to start an instance from an image.