To validate its attestation token, Confidential Space needs to download certificates from Cloud Storage buckets. If these buckets reside outside your perimeter, you must configure the following egress rule:
- egressTo:
operations:
- serviceName: storage.googleapis.com
methodSelectors:
- method: google.storage.objects.get
resources:
- projects/870449385679
- projects/180376494128
egressFrom:
identityType: ANY_IDENTITY
The following table lists the projects containing the necessary certificates:
| Project ID | Project number | Description |
|---|---|---|
| cloud-shielded-ca-prod | 870449385679 | Project containing attestation certificates |
| cloud-shielded-ca-prod-root | 180376494128 | Project containing root certificates |
If the Compute Engine API is restricted by your service perimeter, you must create the following egress rule:
- egressTo:
operations:
- serviceName: compute.googleapis.com
methodSelectors:
- method: InstancesService.Insert
resources:
- projects/30229352718
egressFrom:
identityType: ANY_IDENTITY
The following table lists the project necessary to fetch Confidential Space VM images:
| Project ID | Project number | Description |
|---|---|---|
| confidential-space-images | 30229352718 | Project containing Confidential Space VM images |