This page provides an overview of resource usage restriction (RUR), a governance policy that allows enterprise administrators to control which Google Cloud services can be used within their Google Cloud resource hierarchy. RUR can only be enforced on services with resources that are the direct descendants of an organization, folder, or project resource. For example, Compute Engine and Cloud Storage.
RUR excludes and won't work with certain services that are essential dependencies for Google Cloud products, such as Identity and Access Management (IAM), Cloud Logging, and Cloud Monitoring. For the list of cloud resource services that are excluded by this constraint, see Restricting resource usage unsupported services.
The RUR policy is implemented as an
organization policy constraint
named Restrict Resource Service Usage. Administrators can use this
constraint to define hierarchical restrictions on allowed Google Cloud
resource services within a resource container, such as an organization,
a folder, or a project. For example, allow
within project X, or deny
compute.googleapis.com within folder Y.
The Restrict Resource Service Usage constraint can be used in two mutually exclusive ways:
Denylist - resources of any service that isn't denied are allowed.
Allowlist - resources of any service that isn't allowed are denied.
The Restrict Resource Service Usage constraint controls the runtime access to all in-scope resources. When a RUR policy is updated, it immediately applies to all access to all resources within the scope of the policy, with eventual consistency.
We recommend administrators carefully manage updates to RUR policies. You can more safely rollout this policy change by using tags to conditionally enforce the constraint. For more information, see Setting an organization policy with tags.
When a service is restricted by this policy, some Google Cloud services that have a direct dependency on the restricted service will be restricted as well. This only applies to services that manage the same customer resources. For example, Google Kubernetes Engine (GKE) has a dependency on Compute Engine. When Compute Engine is restricted, GKE is also restricted.
Using the Restrict Resource Service Usage constraint
RUR policies are organization policy constraints, which can be set at the organization, folder, and project level. Each policy applies to all resources within its corresponding resource hierarchy, but can be overridden at lower levels in the resource hierarchy.
For more information about policy evaluation, see Understanding Hierarchy Evaluation.
Setting the organization policy
To set, change, or delete an organization policy, you must have the Organization Policy Administrator role.
To set an organization policy that includes a Restrict Resource Service Usage constraint, do the following:
- Go to the Organization policies page in the Google Cloud console.
In the project picker at the top of the screen, select the resource you want to set the policy for.
In the table of organization policies, select Restrict Resource Service Usage.
Under Applies to, select Customize.
Under Policy enforcement, choose how to apply inheritance to this policy.
If you want to inherit the organization policy of the parent resource and merge it with this one, select Merge with parent.
If you want to override any existing organization policies, select Replace.
Under Policy values, select Custom.
Under Policy type, select Deny for denylist or Allow for allowlist.
Under Custom values, add the service you want to block or allow to the list.
For example, to block Cloud Storage, you could enter
To add more services, click New policy value.
On the right side of the page, review the summary of the policy.
To enforce the policy, click Save.
Organization policies can be set through the Google Cloud CLI. To enforce an organization policy that includes the Restrict Resource Service Usage constraint, first create a YAML file with the policy to be updated:
$ cat /tmp/policy.yaml constraint: constraints/gcp.restrictServiceUsage list_policy: denied_values: - file.googleapis.com - bigquery.googleapis.com - storage.googleapis.com
To set this policy on a resource, run the following command :
gcloud beta resource-manager org-policies set-policy \ --project='PROJECT_ID' /tmp/policy.yaml
- PROJECT_ID is the project ID of the resource on which you want to enforce this organization policy.
To learn about using constraints in organization policies, see Using Constraints.
If you set an organization policy to deny service A within resource hierarchy B, when a client tries to use service A within resource hierarchy B, the operation fails. An error is returned that describes the reason for this failure. Also, an AuditLog entry is generated for further monitoring, alerting, or debugging.
Example error message
Request is disallowed by organization's constraints/gcp.restrictServiceUsage constraint for projects/PROJECT_ID attempting to use service storage.googleapis.com.
Example Cloud Audit Logs