Set up trusted image policies

You can use a trusted image policy to define an organization policy that allows principals to create Compute Engine persistent disks only from images in specific projects.

For instructions on how to use a trusted image policy, see Set image access constraints. The following steps show how to set image access constraints for Cloud Life Sciences at the project level using the Google Cloud console and Google Cloud CLI:

Console

  1. Go to the Organization policies page.

    Go to Organization policies

  2. In the policies list, click Define trusted image projects.
  3. Click Edit to customize your existing trusted image constraints.
  4. On the Edit page, select Customize.
  5. In the Policy values drop-down list, select Custom to set the constraint on specific image projects.
  6. In the Policy type drop-down list, specify the Allow value.
  7. In the Custom values field, enter projects/life-sciences.

    If you are setting project-level constraints, then they might conflict with the existing constraints set on your organization or folder.

  8. Click New policy value to add multiple image projects.

  9. Click Save to apply the constraint.

For more information about creating organization policies, see Creating and managing organization policies.

gcloud

  1. Get the existing policy settings for your project by running the resource-manager org-policies describe command:

    gcloud resource-manager org-policies describe \
       compute.trustedImageProjects --project=PROJECT_ID \
       --effective > policy.yaml
    

    Replace PROJECT_ID with your project ID.

  2. Open the policy.yaml file in a text editor and modify the compute.trustedImageProjects constraint by adding projects/life-sciences to the allowedValues field. When you have finished editing the file, save your changes.

    constraint: constraints/compute.trustedImageProjects
    listPolicy:
     allowedValues:
        - projects/life-sciences
    
  3. Apply the policy.yaml file to your project. If your organization or folder has existing constraints, those constraints might conflict with project-level constraints that you set. To apply the constraint, use the resource-manager org-policies set-policy command.

    gcloud resource-manager org-policies set-policy \
       policy.yaml --project=PROJECT_ID
    

    Replace PROJECT_ID with your project ID.

When you have finished configuring the constraints, test those constraints to ensure that they create the restrictions that you need.