By default, users in your project can create persistent disks or copy images using any of the public images and any images that principals can access through IAM roles. However, in some situations you might want to restrict principals so that they can create boot disks only from images that contain approved software that meets your policy or security requirements.
Use the Trusted image feature to define an organization policy that allows principals to create persistent disks only from images in specific projects.
To restrict the locations where your images can be used, read restricting use of your shared images, disks, and snapshots.
Before you begin
- If you want to use the command-line examples in this guide, do the following:
- Install or update to the latest version of the Google Cloud CLI.
- Set a default region and zone.
- If you want to use the API examples in this guide, set up API access.
- Read the Using constraints page to learn about managing policies at organization level.
- Read the Understanding hierarchy evaluation page to learn how organization policies propagate.
Limitations
Trusted image policies do not restrict access to the following images:
Custom images in your local project.
Image files in Cloud Storage buckets.
Trusted image policies do not prevent users from creating image resources in their local projects.
Set image access constraints
Enact an image access policy by setting a compute.trustedImageProjects
constraint on your project, your folder, or your organization. You must have
permission to modify organization policies to set these constraints. For
example,
roles/orgpolicy.policyAdmin
has permission to set these constraints. For more information about managing
policies at the project, folder, or organization level, see
Using constraints.
You can set constraints on all public images available on Compute Engine.
For a list of image project names, see Operating systems details.
You can also restrict the Machine Learning (ML) images that are available on
Compute Engine by using the ml-images
project. If you are using
Serverless VPC Access,
grant your project permission to use Compute Engine VM images from the
serverless-vpc-access-images
project.
Use the Google Cloud console or Google Cloud CLI to set constraints on image access.
Console
For example, to set a constraint at the project level, do the following:
- Go to the Organization policies page.
- In the policies list, click Define trusted image projects.
- Click Edit to customize your existing trusted image constraints.
- On the Edit page, select Customize.
- In the Policy values drop-down list, select Custom to set the constraint on specific image projects.
- In the Policy type drop-down list, specify a value as follows:
- To restrict the specified image projects, select Deny.
- To remove restrictions for the specified image projects, select Allow.
In the Custom values field, enter the names of image projects using
projects/IMAGE_PROJECT
format. Replace IMAGE_PROJECT with the image project you want to set constraint on.If you are setting project-level constraints, then they might conflict with the existing constraints set on your organization or folder.
Click New policy value to add multiple image projects.
Click Save to apply the constraint.
For more information about creating organization policies, see Creating and managing organization policies.
gcloud
For example, to set a constraint at the project level, do the following:
Get the existing policy settings for your project by using the
resource-manager org-policies describe
command.gcloud resource-manager org-policies describe \ compute.trustedImageProjects --project=PROJECT_ID \ --effective > policy.yaml
Replace PROJECT_ID with your project ID.
Open the
policy.yaml
file in a text editor and modify thecompute.trustedImageProjects
constraint. Add the restrictions that you need and remove the restrictions that you no longer require. When you have finished editing the file, save your changes. For example, you might set the following constraint entry in your policy file:constraint: constraints/compute.trustedImageProjects listPolicy: allowedValues: - projects/debian-cloud - projects/cos-cloud deniedValues: - projects/IMAGE_PROJECT
Replace IMAGE_PROJECT with the name of the image project that you want to restrict in your project.
Optionally, you might want to deny access to all images outside of the custom images in your project. For that situation, use the following example:
constraint: constraints/compute.trustedImageProjects listPolicy: allValues: DENY
Apply the
policy.yaml
file to your project. If your organization or folder has existing constraints, those constraints might conflict with project-level constraints that you set. To apply the constraint, use theresource-manager org-policies set-policy
command.gcloud resource-manager org-policies set-policy \ policy.yaml --project=PROJECT_ID
Replace PROJECT_ID with your project ID.
When you have finished configuring the constraints, test those constraints to ensure that they create the restrictions that you need.
What's next
- Learn more about the Organization Policy Service.
- See what public images are available for you to use by default.
- Share your private image with other projects.
- Learn how to restrict use of your shared images, disks, and snapshots.
- Learn how to start an instance from an image.