Restricting Identities by Domain

The Resource Manager provides a domain restriction constraint that can be used in organization policies to limit resource sharing based on domain. This constraint allows you to restrict the set of identities that are allowed to be used in Cloud Identity and Access Management policies.

Organization policies can use this constraint to limit resource sharing to a specified set of one or more G Suite domains, and exceptions can be granted on a per-folder or per-project basis. Once a domain restriction is set, this limitation will apply only to future Cloud IAM policy changes, not past ones. Thus identities from other organizations will retain access if they were added to the organization policy before the constraint is applied.

The domain restriction constraint is based on the iam.allowedPolicyMemberDomains list constraint.

When this constraint is set on a G Suite domain, it will affect all identities that are under that domain. This includes user accounts that are managed in the G Suite console and not from within the Google Cloud Platform Console.

Setting the organization policy

The domain restriction constraint is a type of list constraint. G Suite customer IDs can be added and removed from the allowed_values list of a domain restriction constraint. All domains associated with that G Suite account will be affected by the organization policy.

You must have permission to modify organization policies to set this constraint. For example, the resourcemanager.organizationAdmin role has permission to set organization policy constraints. Read the Using Constraints page to learn more about managing policies at the organization level.

Console

To set an organization policy including a domain restriction constraint:

  1. Go to the Organization policies page in the Google Cloud Platform Console.
    Go to the Organization policies page
  2. Click Select.
  3. Select the organization you want to set the policy for.
  4. Click Domain Restricted Sharing.
  5. Click the Edit button.
  6. Under Applies to, select Customize.
  7. Under Policy values, select Custom.
  8. Enter a G Suite customer ID into the Policy value text box, then press Enter. Multiple IDs can be entered in this way.
  9. Click Save. A notification will appear to confirm that the policy has been updated.

gcloud

Policies can be set through the gcloud command-line tool. To create a policy that includes the domain restriction constraint, run the following command:

gcloud alpha resource-manager org-policies allow \
    --organization 'ORGANIZATION_ID' \
    iam.allowedPolicyMemberDomains 'DOMAIN_ID_1' \
    'DOMAIN_ID_2'

Where:

To learn about using constraints in organization policies, see Using Constraints.

Example organization policy

The following code snippet shows an organization policy including the domain restriction constraint:

resource: "organizations/842463781240"
policy {
  constraint: "constraints/iam.allowedPolicyMemberDomains"
  etag: "\a\005L\252\122\321\946\334"
  list_policy {
  allowed_values: "C03xgje4y"
  allowed_values: "C03g5e3bc"
  allowed_values: "C03t213bc"
  }
}

The allowed_values are G Suite customer IDs, such as C03xgje4y. Only identities belonging to a G Suite domain from the list of allowed_values will be allowed on Cloud IAM policies once this organization policy has been applied. G Suite human users and groups must be part of that G Suite domain, and Cloud IAM service accounts must be children of an organization resource associated with the given G Suite domain.

For example, if you created an organization policy with only the customer ID of your company's G Suite, only members from that domain could be added to the Cloud IAM policy from that point forward.

Example error message

When the domain restriction organization constraint is violated by trying to add a member that is not included in the allowed_values list, the operation will fail and then an error message will be displayed.

Console

Screenshot of Console

gcloud

ERROR: (gcloud.projects.set-iam-policy) FAILED_PRECONDITION: One or
more users in the policy do not belong to a permitted customer.

Retrieving a G Suite customer ID

The G Suite customer ID used by the domain restriction constraint can be obtained in two ways:

gcloud

The gcloud organizations list command can be used to see all organizations for which you have the resourcemanager.organizations.get permission:

gcloud alpha organizations list

This command will return the DISPLAY_NAME, ID (Organization ID), and DIRECTORY_CUSTOMER_ID. The G Suite customer ID is the DIRECTORY_CUSTOMER_ID.

API

The G Suite directory API can be used to retrieve a G Suite customer ID.

  1. Obtain an OAuth access token for the https://www.googleapis.com/auth/admin.directory.customer.readonly scope.
  2. Run the following command to query the G Suite directory API:

    curl -# -X GET "https://www.googleapis.com/admin/directory/v1/customers/customerKey" \
    -H "Authorization: Bearer $access_token" -H "Content-Type: application/json"
    

This command will return a JSON response including the customer's information. The G Suite customer ID is the id.

Restricting subdomains

The domain restriction constraint functions by limiting access to all domains that are associated with a given G Suite customer ID. Every G Suite account has exactly one primary domain, and zero or more secondary domains. All domains that are associated with the G Suite customer ID will be subject to the constraint.

Applying the domain restriction constraint to a resource controls the primary domain and all secondary domains that can access that resource and its descendents in the resource hierarchy.

For examples on common G Suite domain and subdomain combinations, see the table below:

Primary domain Subdomain Domain restriction constraint Is user@sub.domain.com allowed?
domain.com none Allow: domain.com No
domain.com sub.domain.com Allow: domain.com Yes
domain.com sub.domain.com Allow: sub.domain.com Yes
sub.domain.com domain.com Allow: sub.domain.com Yes
sub.domain.com none Allow: sub.domain.com Yes

To differentiate domain restriction constraint access between two domains, each domain must be associated with a different G Suite account. Each G Suite account is associated with an organization node, and can have their own organization policies applied. This allows you to associate domain.com with one G Suite account, and sub.domain.com with another for more granular access control. For more information, see Managing Multiple Organizations.

Public data sharing

Some Google Cloud Platform products such as BigQuery, Cloud Functions, Cloud Run, Cloud Storage, and Cloud Pub/Sub support public data sharing. Enforcing the domain restricted sharing constraint in an organization policy will prevent public data sharing.

To publicly share data, disable the domain restricted sharing constraint temporarily for the Project resource where the data you want to share resides. After you share the resource publicly, you can then re-enable the domain restricted sharing constraint.

Troubleshooting known issues

Cloud Billing export service account

Enabling billing export to a bucket with this constraint enabled will probably fail. Do not use this constraint on buckets used for billing export.

The Cloud Billing export service account email address is: 509219875288-kscf0cheafmf4f6tp1auij5me8qakbin@developer.gserviceaccount.com

Cloud Composer

To create a new environment, you must first disable the domain restriction constraint on the desired project. You can re-enable the constraint after you create the environment.

Forcing account access

If you need to force account access for a project in violation of domain restrictions:

  1. Remove the organization policy containing the domain restriction constraint.

  2. Grant account access to the project.

  3. Implement the organization policy with the domain restriction constraint again.

Alternatively, you can whitelist a Google Group:

  1. Create a Google Group within the allowed domain.

  2. Use the G Suite administrator panel to turn off domain restriction for that group.

  3. Add the service account to the group.

  4. Implement the organization policy with the domain restriction constraint again.

  5. Grant access to the Google Group in the Cloud IAM policy.

Was this page helpful? Let us know how we did:

Send feedback about...

Resource Manager Documentation