Restricting resource usage

Stay organized with collections Save and categorize content based on your preferences.

This page provides an overview of the Restrict Resource Service Usage organization policy constraint, which allows enterprise administrators to control which Google Cloud services can be used within their Google Cloud resource hierarchy. This constraint can only be enforced on services with resources that are the direct descendants of an organization, folder, or project resource. For example, Compute Engine and Cloud Storage.

The Restrict Resource Service Usage constraint excludes and won't work with certain services that are essential dependencies for Google Cloud products, such as Identity and Access Management (IAM), Cloud Logging, and Cloud Monitoring. For the list of cloud resource services that are supported by this constraint, see Restricting resource usage supported services.

Administrators can use this constraint to define hierarchical restrictions on allowed Google Cloud resource services within a resource container, such as an organization, a folder, or a project. For example, allow storage.googleapis.com within project X, or deny compute.googleapis.com within folder Y.

The Restrict Resource Service Usage constraint can be used in two mutually exclusive ways:

  • Denylist - resources of any service that isn't denied are allowed.

  • Allowlist - resources of any service that isn't allowed are denied.

The Restrict Resource Service Usage constraint controls the runtime access to all in-scope resources. When the organization policy containing this constraint is updated, it immediately applies to all access to all resources within the scope of the policy, with eventual consistency.

We recommend administrators carefully manage updates to organization policies containing this constraint. You can more safely rollout this policy change by using tags to conditionally enforce the constraint. For more information, see Setting an organization policy with tags.

When a service is restricted by this policy, some Google Cloud services that have a direct dependency on the restricted service will be restricted as well. This only applies to services that manage the same customer resources. For example, Google Kubernetes Engine (GKE) has a dependency on Compute Engine. When Compute Engine is restricted, GKE is also restricted.

Using the Restrict Resource Service Usage constraint

Organization policy constraints can be set at the organization, folder, and project level. Each policy applies to all resources within its corresponding resource hierarchy, but can be overridden at lower levels in the resource hierarchy.

For more information about policy evaluation, see Understanding Hierarchy Evaluation.

Setting the organization policy

To set, change, or delete an organization policy, you must have the Organization Policy Administrator role.

Console

To set an organization policy that includes a Restrict Resource Service Usage constraint, do the following:

  1. Go to the Organization policies page in the Google Cloud console.

Go to Organization policies

  1. In the project picker at the top of the screen, select the resource you want to set the policy for.

  2. In the table of organization policies, select Restrict Resource Service Usage.

  3. Click Edit.

  4. Under Applies to, select Customize.

  5. Under Policy enforcement, choose how to apply inheritance to this policy.

    1. If you want to inherit the organization policy of the parent resource and merge it with this one, select Merge with parent.

    2. If you want to override any existing organization policies, select Replace.

  6. Under Policy values, select Custom.

  7. Under Policy type, select Deny for denylist or Allow for allowlist.

  8. Under Custom values, add the service you want to block or allow to the list.

    1. For example, to block Cloud Storage, you could enter storage.googleapis.com.

    2. To add more services, click New policy value.

    Entering service values to the denied list

  9. On the right side of the page, review the summary of the policy.

  10. To enforce the policy, click Save.

gcloud

Organization policies can be set through the Google Cloud CLI. To enforce an organization policy that includes the Restrict Resource Service Usage constraint, first create a YAML file with the policy to be updated:

$ cat /tmp/policy.yaml
constraint: constraints/gcp.restrictServiceUsage
  list_policy:
  denied_values:
    - file.googleapis.com
    - bigquery.googleapis.com
    - storage.googleapis.com

To set this policy on a resource, run the following command :

gcloud beta resource-manager org-policies set-policy \
    --project='PROJECT_ID' /tmp/policy.yaml

Where:

  • PROJECT_ID is the project ID of the resource on which you want to enforce this organization policy.

To learn about using constraints in organization policies, see Using Constraints.

Dry-run organization policy

You can create a dry-run organization policy using the Restrict Resource Service Usage constraint to monitor how it would effect your organization before you enforce the live policy. For more information, see Create a dry-run organization policy.

Error message

If you set an organization policy to deny service A within resource hierarchy B, when a client tries to use service A within resource hierarchy B, the operation fails. An error is returned that describes the reason for this failure. Also, an AuditLog entry is generated for further monitoring, alerting, or debugging.

Example error message

Request is disallowed by organization's constraints/gcp.restrictServiceUsage
constraint for projects/PROJECT_ID attempting to use service
storage.googleapis.com.

Example Cloud Audit Logs

Screenshot of example Audit Log entry