You can use a trusted image policy to define an organization policy that allows principals to create Compute Engine persistent disks only from images in specific projects.
For instructions on how to use a trusted image policy, see Set image access constraints. The following steps show how to set image access constraints for Cloud Life Sciences at the project level using the Google Cloud console and Google Cloud CLI:
Console
- Go to the Organization policies page.
- In the policies list, click Define trusted image projects.
- Click Edit to customize your existing trusted image constraints.
- On the Edit page, select Customize.
- In the Policy values drop-down list, select Custom to set the constraint on specific image projects.
- In the Policy type drop-down list, specify the Allow value.
In the Custom values field, enter
projects/life-sciences
.If you are setting project-level constraints, then they might conflict with the existing constraints set on your organization or folder.
Click New policy value to add multiple image projects.
Click Save to apply the constraint.
For more information about creating organization policies, see Creating and managing organization policies.
gcloud
Get the existing policy settings for your project by running the
resource-manager org-policies describe
command:gcloud resource-manager org-policies describe \ compute.trustedImageProjects --project=PROJECT_ID \ --effective > policy.yaml
Replace PROJECT_ID with your project ID.
Open the
policy.yaml
file in a text editor and modify thecompute.trustedImageProjects
constraint by addingprojects/life-sciences
to theallowedValues
field. When you have finished editing the file, save your changes.constraint: constraints/compute.trustedImageProjects listPolicy: allowedValues: - projects/life-sciences
Apply the
policy.yaml
file to your project. If your organization or folder has existing constraints, those constraints might conflict with project-level constraints that you set. To apply the constraint, use theresource-manager org-policies set-policy
command.gcloud resource-manager org-policies set-policy \ policy.yaml --project=PROJECT_ID
Replace PROJECT_ID with your project ID.
When you have finished configuring the constraints, test those constraints to ensure that they create the restrictions that you need.