Develop applications in a constrained Google Cloud environment

Our docs are often written to help you get a product or feature up and running, but some docs may not work correctly if your organization applies security constraints. For example, your company might implement some of the security constraints from the Cloud Foundation Toolkit, the Google Cloud security blueprints, or create their own.

This article helps you troubleshoot application deployment errors you might see in an organization that uses security constraints.

Troubleshoot security constraint problems

Your IT operations or security team can enable security constraints through organization policy. These constraints restrict how your organization's resources can be used.

When you make an API request that returns an error, the API response should tell you if it's due to policy violations. The response should explain the constraint that gets violated. The following troubleshooting steps help you determine and understand if a violation occurs:

  1. Review the API response error message. Can you identify which security constraint your deployment violates?

    The following example tells you that the sql.restrictPublicIpconstraint is the problem:

    Organization Policy check failure
    The external IP of this instance violates the constraints/sql.restrictPublicIp enforced
    
  2. If you understand the policy violation, update your resource deployment configuration to work within the constraints.

    In the previous example of restricting external public IP addresses, configure your Cloud SQL instance to use an internal private IP address.

  3. If you're not sure why the constraint is applied or what to do, work with your security team to understand where the policy is applied in your organization's hierarchy and their suggested workarounds.

    Check if any deployment templates, such as Terraform templates, are shared in your organization. These templates should detail how the Google Cloud infrastructure has been configured and limit your application's deployment.

Common security constraints problems

When you deploy your applications in Google Cloud, you may encounter an error like the following example:

ERROR: (gcloud.alpha.sql.instances.create) HTTPError 400: Invalid request:
Organization Policy check failure: the external IP of this instance violates the
constraints/sql.restrictPublicIp enforced at the 123456789 project.

In this example, you can't configure a Cloud SQL instance to use an external public IP address. A security constraint is being enforced from a policy applied to your environment.

The following common security constraints may be enabled and detailed in an API error response as you develop your applications.

Compute Engine

Constraint name Why it's implemented Suggested workaround
constraints/compute.disableNestedVirtualization Prevent a KVM-compatible hypervisor from being installed inside the VM. This behavior could introduce security risks without adequate patching and management. Configure your VM to disable hardware-accelerated nested virtualization.

By default, it's turned on for all Compute Engine VMs running on Intel Haswell or newer CPU platforms.
constraints/compute.requireShieldedVm Requires new VM instances to use Shielded disk images with Secure Boot, vTPM, and Integrity Monitoring options enabled. These options prevent the VM from being tampered with and data being accessed or modified. Don't enable shielded VMs when you create a VM.

To create a GKE cluster, you must enable shielded GKE nodes.

Dataflow doesn't currently support shielded VM workers.
constraints/compute.disableSerialPortAccess Remove security vectors to interact with a VM or view diagnostic output that could be used to form an attack. Don't enable serial port access when you create a VM.
constraints/compute.disableGuestAttributesAccess Minimize the amount of information about the underlying host and platform that could be abused by a malicious app. Don't use the Compute Engine API to read guest attributes of your Compute Engine VMs.
constraints/compute.vmExternalIpAccess Prevent applications from running with an external IP address and accessible from the Internet. Disable external IP access for your VMs. You can only use an internal private IP address.

GKE can use private clusters with no public IP addresses.

Dataprep and Dataflow don't currently support private IP addresses.

Virtual network and IP addresses

Constraint name Why it's implemented Suggested workaround
constraints/compute.skipDefaultNetworkCreation Make sure that only company-managed Virtual Private Cloud (VPC)s can be created and that network traffic or filtering rules are applied. Connect your applications to existing VPCs in your organization. Default auto-created VPCs aren't deployed for new projects.
constraints/compute.restrictXpnProjectLienRemoval Prevent a shared VPC from accidentally being deleted when resources in other projects rely on the network services it provides. Don't try to delete a shared VPC. Make sure you're targeting the correct resource for deletion.
constraints/sql.restrictPublicIp Prevent Cloud SQL instances from running with an external IP address and accessible from the Internet. Don't configure your Cloud SQL instance to use an external public IP address.

Instead, configure your Cloud SQL instance to use an internal private IP address.

Identity and authentication

Constraint name Why it's implemented Suggested workaround
constraints/iam.disableServiceAccountKeyCreation Service account keys can pose a security risk if exposed, so prevent them from being exported. Authenticate by using a more secure alternative to service account keys.
constraints/storage.uniformBucketLevelAccess Minimize the risk of incorrect or inconsistent permissions being applied to storage buckets by only allowing Identity and Access Management (IAM) to be used. Enable uniform bucket-level access to secure your Cloud Storage bucket.
constraints/iam.allowedPolicyMemberDomains Restrict Google Cloud resource access to only approved domains. Use an account within one of the approved domains. Additional known issues exist for this constraint.

Example API response errors

In the previous example of restricting external public IP addresses with Cloud SQL, a policy violation causes the API to return an error. The following more detailed examples show the API response that tells you which constraint causes the request to fail. Look at your own API responses to understand why application deployments fail.

Cloud SQL failure with Google Cloud CLI:

$ gcloud alpha sql instances create mysql-node --project my-sql-project

ERROR: (gcloud.alpha.sql.instances.create) HTTPError 400: Invalid request:
Organization Policy check failure: the external IP of this instance violates the
constraints/sql.restrictPublicIp enforced at the 123456789 project.

Cloud SQL failure with Terraform:

$ terraform apply plan.out

[...]
module.mysql-db.google_sql_database_instance.default: Creating...

Error: Error, failed to create instance backend01-db-1c81e0e3: googleapi:
Error 400: Invalid request: Organization Policy check failure: the external IP
of this instance violates the constraints/sql.restrictPublicIp enforced at the
123456789 project., invalid

List the organization policies applied to your project

Your project may inherit policies from the folder or organization level. Depending on your access roles, you may not have visibility into what policies are enforced at higher levels in your hierarchy to see where the violated constraint is applied.

To see the applied policies or exceptions for your project, use the gcloud org-policies list command:

gcloud org-policies list --project=PROJECT_ID

Replace PROJECT_ID with the project for which you want to see enforced policies.

For more information about a policy that's applied, use the gcloud org-policies describe command. Provide the name of the policy to describe, and your project ID with the --project parameter:

gcloud org-policies describe POLICY_NAME \
  --project=PROJECT_ID

Replace the following:

  • POLICY_NAME: the name of the organization policy

  • PROJECT_ID: the project for which you want to see the enforced policy

What's next

If you can't determine where a policy is applied and how to work around a security constraint, reach out to your IT operations or security team. Each organization applies policies and blueprints customized to their environment.

For more information about all the controls that could be applied in your organization, see the list of organization policy constraints.