Quickstart Using List Constraints

This page explains how to use a list constraint to create and enforce an organization policy.

In this exercise, you will set up an organization policy that prevents all projects below it from having the APIs cloudbilling.googleapis.com and cloudresourcesearch.googleapis.com enabled. It is important to know that projects that already have this API enabled will not have it disabled, because enforcement of this policy happens at activation time. You will then use replace and merge semantics to layer policy within your hierarchy.

Before you begin

Sign in to your Google account.

If you don't already have one, sign up for a new account.

  • You'll need an Organization resource to complete these exercises. If you're an existing G Suite or Cloud Identity customer, Google automatically creates an Organization resource for you the first time someone in your domain creates a project or a billing account.

  • You are assigned the roles/orgpolicy.PolicyAdmin role for your organization.

Retrieve the API value used for enforcement

To define this organization policy, you will need to retrieve the value of the API identifier that you wish to restrict.

We have provided this information for you in this quickstart. To determine the API identifier for another API, from the developer console you would go to the APIs & Services section, and in the left menu, choose 'Library'.

From there, search for the API of interest. Then, click to the detail page of the desired API, to retrieve the path. It should look something like:

.../apis/api/cloudresourcesearch.googleapis.com/overview?...

The path segment between api/ and /overview is the value to use in policies. In this case, it is cloudresourcesearch.googleapis.com.

Set up enforcement on the organization node

Note: This step will prevent any activations of the cloudbilling.googleapis.com API on all projects in this organization.

  1. Get the current policy on the organization using the describe command.

    gcloud alpha resource-manager org-policies describe \
      --organization [ORGANIZATION_ID] serviceuser.services
    

Where:

  • [ORGANIZATION_ID] is the numeric value used as the suffix in the GCP name of your organization.

The output of the command will be as shown below. Since no policy is set an incomplete policy is returned.

   constraint: "constraints/serviceuser.services"
  1. Add denied activation value for cloudbilling.googleapis.com using the deny command.

    gcloud alpha resource-manager org-policies deny \
      --organization [ORGANIZATION_ID] \
      serviceuser.services cloudbilling.googleapis.com
    

    Where:

    • [ORGANIZATION_ID] is the numeric value used as the suffix in the GCP name of your organization.

    The output of the command will be as shown below.

    constraint: constraints/serviceuser.services
    etag: BwVJi0OOESU=
    listPolicy:
      deniedValues:
        - cloudbilling.googleapis.com
    
  2. View the current effective policy using describe --effective.

    gcloud alpha resource-manager org-policies describe --effective \
     --organization [ORGANIZATION_ID] serviceuser.services
    

    Where:

    • [ORGANIZATION_ID] is the numeric value used as the suffix in the GCP name of your organization.

    The output of the command will be as shown below.

    constraint: constraints/serviceuser.services 
    listPolicy:
      deniedValues:
        - cloudbilling.googleapis.com
    

Merge the organization policy on a project

Next you will merge the policy on a project to disallow the cloudbilling.googleapis.com and cloudresourcesearch.googleapis.com.

This will "merge" the org policy on a project, denying APIs cloudbilling.googleapis.com and cloudresourcesearch.googleapis.com.

  1. Get the current policy on project and show it's empty.

    gcloud alpha resource-manager org-policies describe \
     --project [PROJECT_ID] serviceuser.services
    

    Where:

    • [PROJECT_ID] is the numeric representation of your project.

    The output of the command will be as shown below. Since no policy is set, an incomplete policy is returned.

    constraint: "constraints/serviceuser.services"
    
  2. Get the effective policy on the project.

    gcloud alpha resource-manager org-policies describe --effective \
     --project [PROJECT_ID] serviceuser.services
    

    Where:

    • [PROJECT_ID] is the numeric representation of your project.

    The output of the command will be as shown below.

    constraint: constraints/serviceuser.services
    listPolicy:
      deniedValues:
        - cloudbilling.googleapis.com
    
  3. Set the policy on the project using the set-policy command. Create temp file /tmp/policy.yaml with:

    constraint: constraints/serviceuser.services
    listPolicy:
      deniedValues:
        - cloudresourcesearch.googleapis.com
      inheritFromParent: true
    

    Then run the set-policy command.

    gcloud alpha resource-manager org-policies set-policy \
      --project [PROJECT_ID] /tmp/policy.yaml
    

    Where:

    • [PROJECT_ID] is the numeric representation of your project.

    The output of the command will be as shown below.

    constraint: constraints/serviceuser.services
    etag: BwVLO2timxY=
    listPolicy:
      deniedValues:
        - cloudresourcesearch.googleapis.com
      inheritFromParent: true
    
  4. Get the effective policy to show merged policy.

    gcloud alpha resource-manager org-policies describe \
      --effective \
      --project [PROJECT_ID] serviceuser.services
    

    Where:

    • [PROJECT_ID] is the numeric representation of your project.

    The output of the command will be as shown below.

    constraint: constraints/serviceuser.services
      listPolicy:
        deniedValues:
          - cloudresourcesearch.googleapis.com
          - cloudbilling.googleapis.com
    

Restore the default policy

Finally, you will replace the organization policy on the project, restoring the default to allow all activations.

This step will replace the organization policy on the project allowing the API cloudbilling.googleapis.com as well as all other apis to be enabled.

  1. Get the effective policy on the project to show merged policy.

    gcloud alpha resource-manager org-policies describe \
      --effective serviceuser.services \
      --project [PROJECT_ID]
    

    Where:

    • [PROJECT_ID] is the numeric representation of your project.

    The output of the command will be as shown below.

    constraint: constraints/serviceuser.services
    listPolicy:
      deniedValues:
        - cloudresourcesearch.googleapis.com
        - cloudbilling.googleapis.com
    
  2. Replace with policy that allows all on the project. Create a temp file /tmp/restore-policy.yaml with:

    restoreDefault: {}
    constraint: constraints/serviceuser.services
    

    Then run the command.

    gcloud alpha resource-manager org-policies set-policy \
      --project [PROJECT_ID] /tmp/restore-policy.yaml
    

    Where:

    • [PROJECT_ID] is the numeric representation of your project.

    The output of the command will be as shown below.

    constraint: constraints/serviceuser.services
    etag: BwVJi9D3VLY=
    restoreDefault: {}
    
  3. Get the effective policy to show everything is allowed.

    gcloud alpha resource-manager org-policies describe \
      --effective \
      --project [PROJECT_ID] serviceuser.services
    

    Where:

    • [PROJECT_ID] is the numeric representation of your project.

    The output of the command will be as shown below.

    Constraint: constraints/serviceuser.services
    listPolicy:
      allValues: ALLOW
    

Clean up

Next, you will clear the policies set during this quickstart guide leaving no restrictions in the hierarchy.

  1. Delete the policy from the org using delete.

    gcloud alpha resource-manager org-policies delete \
      --organization [ORGANIZATION_ID] serviceuser.services
    

    Where:

    • [ORGANIZATION_ID] is the numeric value used as the suffix in the GCP name of your organization.

    The output of the command will be as shown below.

    Deleted [<Empty>].
    
  2. Get the effective policy on the organization to show it's not enforced.

    gcloud alpha resource-manager org-policies describe \
      --effective \
      --organization [ORGANIZATION_ID] serviceuser.services
    

    Where:

    • [ORGANIZATION_ID] is the numeric value used as the suffix in the GCP name of your organization.

    The output of the command will be as shown below.

    constraint: constraints/serviceuser.services
    listPolicy:
      allValues: ALLOW
    
  3. Delete the policy from the project using the delete command.

    gcloud alpha resource-manager org-policies delete \
      --project [PROJECT_ID] serviceuser.services
    

    Where:

    • [PROJECT_ID] is the numeric representation of your project.

    The output of the command will be as shown below.

    Deleted [<Empty>].
    
  4. Get the effective policy on the project to show it's not enforced.

    gcloud alpha resource-manager org-policies describe \
      --effective \
      --project [PROJECT_ID] serviceuser.services
    

    Where:

    • [PROJECT_ID] is the numeric representation of your project.

    The output of the command will be as shown below.

    constraint: constraints/serviceuser.services \
    listPolicy: \
      allValues: ALLOW
    

What's next

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.

Send feedback about...

Google Cloud Resource Manager
Google Cloud Resource Manager