Using Constraints

This guide explains how to create an organization policy with a particular constraint. The constraints used in these examples will not be actual constraints, but generalized samples for educational purposes.

For more information on constraints and the problems they solve, review the list of all Organization Policy Service constraints.

Before you begin

Add an organization policy administrator

To add a user as an Organization Policy Administrator, you must have the Organization Administrator role.

Console

To add an organization policy administrator:

  1. Sign in to the Google Cloud Platform Console as a G Suite or Cloud Identity super administrator and go to the Manage resources page:

    Go to the Manage resources page

  2. On the Organization drop-down list, select your organization.

  3. In the list of resources that appears, select the check box next to the Organization resource.

  4. On the right side Info Panel, under Permissions, enter the email address of the member you want to add.

  5. In the Select a role drop-down list, select Organization Policy > Organization Policy Administrator.

  6. Click Add. A dialog will appear to confirm the addition or update of the member's new role.

gcloud

You can use JSON or YAML files with the gcloud commands. This example uses JSON.

To add an organization policy administrator to your organization:

  1. Get the Cloud IAM policy that you want to modify, and write it to a JSON file:
      gcloud projects get-iam-policy PROJECT_ID --format json >
         iam.json
      
  2. The contents of the JSON file will be similar to the following. Note that the version field is read-only, so you won't need to supply it.

  3.    {
           "bindings": [
           {
               "members": [
                 "user:email1@gmail.com"
               ],
               "role": "roles/owner"
           },
           {
               "members": [
                 "serviceAccount:our-project-123@appspot.gserviceaccount.com",
                 "serviceAccount:123456789012-compute@developer.gserviceaccount.com"
               ],
               "role": "roles/editor"
           }
           ],
           "etag": "BwUjMhCsNvY=",
           "version": 1
       }
       
  4. Use a text editor to add a new object to the bindings array that defines the group members and the role for those members. For example, to grant the role roles/orgpolicy.policyAdmin to the user email2@gmail.com, change the example above as follows:

  5.    {
         "bindings": [
         {
           "members": [
             "user:email1@gmail.com"
           ],
         "role": "roles/owner"
         },
         {
           "members": [
             "serviceAccount:our-project-123@appspot.gserviceaccount.com",
             "serviceAccount:123456789012-compute@developer.gserviceaccount.com"
           ],
           "role": "roles/editor"
         },
         {
           "members": [
             "user:email2@gmail.com"
           ],
           "role": "roles/orgpolicy.policyAdmin"
         }
         ],
         "etag": "BwUjMhCsNvY="
       }
       
  6. Update the project's policy by running the following command:

  7.    gcloud projects set-iam-policy PROJECT_ID iam.json
       
  8. The command outputs the updated policy:
       bindings:
         - members:
           - user:email1@gmail.com
             role: roles/owner
         - members:
           - serviceAccount:our-project-123@appspot.gserviceaccount.com
           - serviceAccount:123456789012-compute@developer.gserviceaccount.com
             role: roles/editor
         - members:
           - user:email2@gmail.com
             role: roles/orgpolicy.policyAdmin
         etag: BwUjMhXbSPU=
         version: 1
       

Using list constraints in organization policy

Set up enforcement on the organization resource

You can set an organization policy on your organization resource that uses a list constraint to deny access to a particular service.

  1. Get the current policy on the organization resource using the describe command:

    gcloud beta resource-manager org-policies describe \
      LIST_CONSTRAINT --organization ORGANIZATION_ID
    

    Where:

    • ORGANIZATION_ID is a unique identifier for the organization resource.

    • LIST_CONSTRAINT is the list constraint for the service that you want to enforce.

    You can also apply the organization policy to a folder or a project with the --folder or the --project flags, and the folder ID and project ID, respectively.

    Because a policy isn't set, an incomplete policy is returned, like the following example:

    constraint: "constraints/LIST_CONSTRAINT"
    etag: BwVJi0OOESU=
    

  2. Use the deny command to add the denied value for the service to which you want to restrict access.

    gcloud beta resource-manager org-policies deny \
      LIST_CONSTRAINT VALUE_A \
      --organization ORGANIZATION_ID
    

    The output of the command will be:

    constraint: constraints/LIST_CONSTRAINT
    etag: BwVJi0OOESU=
    listPolicy:
      deniedValues:
        - VALUE_A
    updateTime: CURRENT_TIME
    

  3. View the current effective policy using describe --effective.

    gcloud beta resource-manager org-policies describe \
      LIST_CONSTRAINT --effective \
      --organization ORGANIZATION_ID
    

    The output of the command will be:

    constraint: constraints/LIST_CONSTRAINT
    listPolicy:
      deniedValues:
        - VALUE_A
    

    Because this organization policy was set at the organization level, it will be inherited by all child resources that allow inheritance.

Set up enforcement against a hierarchy subtree

You can set an organization policy on a resource that uses a list constraint and a value prefix to deny access to a particular resource and all of its child resources. This list of values is expressed as a hierarchy subtree string. The subtree string specifies the type of resource it applies to. For example, a list of project IDs in the form of projects/PROJECT_ID for constraints/compute.trustedImageProjects.

Hierarchy subtree value prefixes are a beta feature, might be changed in backward-incompatible ways, and are not subject to any SLA or deprecation policy.

  1. Get the current policy on the organization resource using the describe command:

    gcloud beta resource-manager org-policies describe \
      LIST_CONSTRAINT --organization ORGANIZATION_ID
    

    Where:

    • ORGANIZATION_ID is a unique identifier for the organization resource.

    • LIST_CONSTRAINT is the list constraint for the service that you want to enforce.

    You can also apply the organization policy to a folder or a project with the --folder or the --project flags, and the folder ID and project ID, respectively.

    Because a policy isn't set, an incomplete policy is returned, like the following example:

    constraint: "constraints/LIST_CONSTRAINT"
    etag: BwVJi0OOESU=
    

  2. Use the deny command to add the denied value for the service to which you want to restrict access. The under: prefix sets the constraint to deny the named resource and all of its child resources.

    gcloud beta resource-manager org-policies deny \
      LIST_CONSTRAINT under:folders/VALUE_A \
      --organization ORGANIZATION_ID
    

    Where:

    • under: is a prefix that signifies what follows is a subtree string.

    • folders/VALUE_A is the folder ID of the root resource you want to deny. This resource and all of its children in the resource hierarchy will be denied.

    • VALUE_B and VALUE_C are projects that exist in the hierarchy with VALUE_A as their parent.

    The output of the deny command will be:

    constraint: constraints/LIST_CONSTRAINT
    etag: BwVJi0OOESU=
    listPolicy:
      deniedValues:
        - under:folders/VALUE_A
    updateTime: CURRENT_TIME
    

    You can also apply the under: prefix to organizations and projects, as in the following examples:

    • under:organizations/VALUE_X

    • under:projects/VALUE_Y

  3. View the current effective policy using describe --effective.

    gcloud beta resource-manager org-policies describe \
      LIST_CONSTRAINT --effective \
      --organization ORGANIZATION_ID
    

    The output of the command will be:

    constraint: constraints/LIST_CONSTRAINT
    listPolicy:
      deniedValues:
        - under:folders/VALUE_A
    

    The policy now evaluates to deny the folder VALUE_A and all of its child resources, in this case VALUE_B and VALUE_C.

Merge the organization policy on a project

You can set a custom organization policy on a resource, which will merge with any policy inherited from its parent resource. This merged policy will then be evaluated to create a new effective policy based on the rules of inheritance.

  1. Get the current policy on the resource using the describe command:

    gcloud beta resource-manager org-policies describe \
      LIST_CONSTRAINT --project PROJECT_ID
    

    Where:

    • PROJECT_ID is the unique identifier of your project.

    • LIST_CONSTRAINT is the list constraint for the service that you want to enforce.

    Because a policy isn't set, an incomplete policy is returned, like the following example:

    constraint: "constraints/LIST_CONSTRAINT"
    etag: BwVJi0OOESU=
    

  2. Display the current effective policy using the describe --effective command:

    gcloud beta resource-manager org-policies describe \
      LIST_CONSTRAINT --effective \
       --project PROJECT_ID
    

    The output of the command will include a denied value that it inherits from the organization resource:

    constraint: constraints/LIST_CONSTRAINT
    listPolicy:
      deniedValues:
        - VALUE_A
    

  3. Set the policy on the project using the set-policy command.

    1. Create a temporary file /tmp/policy.yaml to store the policy:

       constraint: constraints/LIST_CONSTRAINT
       listPolicy:
         deniedValues:
           - VALUE_B
           - VALUE_C
         inheritFromParent: true
       

    2. Run the set-policy command:

       gcloud beta resource-manager org-policies set-policy \
         --project PROJECT_ID /tmp/policy.yaml
       

      The output of the command will be:

       constraint: constraints/LIST_CONSTRAINT
       etag: BwVLO2timxY=
       listPolicy:
         deniedValues:
           - VALUE_B
           - VALUE_C
         inheritFromParent: true
       

  4. Use the describe --effective command again to display the updated policy:

    gcloud beta resource-manager org-policies describe \
      LIST_CONSTRAINT --effective \
      --project PROJECT_ID
    

    The output of the command will include the effective result of merging the policy from the resource and from the parent:

    constraint: constraints/LIST_CONSTRAINT
      listPolicy:
        deniedValues:
          - VALUE_A
          - VALUE_B
          - VALUE_C
    

Restore default constraint behavior

You can use the restoreDefault value in an organization policy to reset the policy to use the constraint's default behavior. The following example assumes that the default constraint behavior is to allow all values.

  1. Get the effective policy on the project to show the current merged policy:

    gcloud beta resource-manager org-policies describe \
      LIST_CONSTRAINT --effective \
      --project PROJECT_ID
    

    Where PROJECT_ID is the unique identifier of your project. The output of the command will be:

    constraint: constraints/LIST_CONSTRAINT
      listPolicy:
        deniedValues:
          - VALUE_A
          - VALUE_B
          - VALUE_C
    

  2. Set the policy on the project using the set-policy command.

    1. Create a temporary file /tmp/restore-policy.yaml to store the policy:

       restoreDefault: {}
       constraint: constraints/LIST_CONSTRAINT
       

    2. Run the set-policy command:

       gcloud beta resource-manager org-policies set-policy \
         --project PROJECT_ID /tmp/restore-policy.yaml
       

    3. The output of the command will be:

       constraint: constraints/LIST_CONSTRAINT
       etag: BwVJi9D3VLY=
       restoreDefault: {}
       

  3. Get the effective policy to verify the default behavior:

    gcloud beta resource-manager org-policies describe \
      LIST_CONSTRAINT --effective \
      --project PROJECT_ID
    

    The output of the command will allow all values:

    Constraint: constraints/LIST_CONSTRAINT
    listPolicy:
      allValues: ALLOW
    

Delete an organization policy

You can delete an organization policy from a resource. A resource without an organization policy set will inherit any policy of its parent resource. If you delete the organization policy on the organization resource, the effective policy will be the constraint's default behavior.

The following steps describe how to delete an organization policy on an organization:

  1. Delete the policy on the organization resource using the delete command:

    gcloud beta resource-manager org-policies delete \
      LIST_CONSTRAINT --organization ORGANIZATION_ID
    

    Where ORGANIZATION_ID is the unique identifier for the organization resource. The output of the command will be:

    Deleted [<Empty>].
    

  2. Get the effective policy on the organization to verify it's not enforced:

    gcloud beta resource-manager org-policies describe \
      LIST_CONSTRAINT --effective \
      --organization ORGANIZATION_ID
    

    The output of the command will be:

    constraint: constraints/LIST_CONSTRAINT
    listPolicy:
      allValues: ALLOW
    

The following steps describe how to delete an organization policy on a project:

  1. Delete the policy on a project using the delete command:

    gcloud beta resource-manager org-policies delete \
      LIST_CONSTRAINT --project PROJECT_ID
    

    Where PROJECT_ID is the unique identifier of your project. The output of the command will be:

    Deleted [<Empty>].
    

  2. Get the effective policy on the project to verify it's not enforced:

    gcloud beta resource-manager org-policies describe \
      --effective \
      LIST_CONSTRAINT --project PROJECT_ID
    

    The output of the command will be:

    constraint: constraints/LIST_CONSTRAINT
    listPolicy:
      allValues: ALLOW
    

Using boolean constraints in organization policy

Set up enforcement on the organization resource

You can set an organization policy on your organization resource to enforce a boolean constraint.

  1. Get the current policy on the organization resource by using the describe command:

    gcloud beta resource-manager org-policies describe \
      BOOLEAN_CONSTRAINT --organization ORGANIZATION_ID
    

    Where ORGANIZATION_ID is the unique identifier for the organization resource. You can also apply the organization policy to a folder or a project with the --folder or the --project flags, and the folder ID and project ID, respectively.

    Because a policy isn't set, an incomplete policy is returned, like the following example:

    booleanPolicy: {}
    constraint: "constraints/BOOLEAN_CONSTRAINT"
    

  2. Set the policy to enforce on the organization using the enable-enforce command:

    gcloud  resource-manager org-policies enable-enforce \
      BOOLEAN_CONSTRAINT --organization ORGANIZATION_ID
    

    The output of the command will be:

    booleanPolicy:
      enforced: true
    constraint: constraints/BOOLEAN_CONSTRAINT
    etag: BwVJitxdiwY=
    

  3. View the current effective policy using describe --effective:

    gcloud beta resource-manager org-policies describe \
      BOOLEAN_CONSTRAINT --effective \
      --organization ORGANIZATION_ID
    

    The output of the command will be:

    booleanPolicy:
      enforced: true
    constraint: constraints/BOOLEAN_CONSTRAINT
    

Override the organization policy for a project

To override the organization policy for a project, set a policy that disables enforcement of the boolean constraint to all resources in the hierarchy below the project.

  1. Get the current policy on the resource to show it's empty.

    gcloud beta resource-manager org-policies describe \
      BOOLEAN_CONSTRAINT --project PROJECT_ID
    

    Where PROJECT_ID is the unique identifier of your project. The output of the command will be:

    booleanPolicy: {}
    constraint: "constraints/BOOLEAN_CONSTRAINT"
    

  2. Get the effective policy on the project, which confirms that the constraint is being enforced at this project.

    gcloud beta resource-manager org-policies describe \
      BOOLEAN_CONSTRAINT --effective \
      --project PROJECT_ID
    

    The output of the command will be:

    booleanPolicy:
      enforced: true
    constraint: constraints/BOOLEAN_CONSTRAINT
    

  3. Set the policy on the project to not enforce the constraint, using the disable-enforce command:

    gcloud beta resource-manager org-policies disable-enforce \
      BOOLEAN_CONSTRAINT --project PROJECT_ID
    

    The output of the command will be:

    booleanPolicy: {}
    constraint: constraints/BOOLEAN_CONSTRAINT
    etag: BwVJivdnXvM=
    

  4. Get the effective policy to show that it is no longer enforced on the project.

    gcloud beta resource-manager org-policies describe \
      --effective \
      BOOLEAN_CONSTRAINT --project PROJECT_ID
    

    The output of the command will be:

    booleanPolicy: {}
    constraint: constraints/BOOLEAN_CONSTRAINT
    

Delete an organization policy

You can delete an organization policy from a resource. A resource without an organization policy set will inherit any policy of its parent resource. If you delete the organization policy on the organization resource, the effective policy will be the constraints' default behavior.

The following steps describe how to delete an organization policy on an organization and a project:

  1. Delete the policy from the organization resource using the delete command:

    gcloud beta resource-manager org-policies delete \
      BOOLEAN_CONSTRAINT --organization ORGANIZATION_ID
    

    Where ORGANIZATION_ID is a unique identifier for the organization resource. The output of the command will be:

    Deleted [<Empty>].
    

  2. Get the effective policy on the organization to verify it's not enforced:

    gcloud beta resource-manager org-policies describe \
      --effective \
      BOOLEAN_CONSTRAINT --organization ORGANIZATION_ID
    

    The output of the command will be:

    booleanPolicy: {}
    constraint: constraints/BOOLEAN_CONSTRAINT
    

  3. Delete the organization policy from the project using the delete command:

    gcloud beta resource-manager org-policies delete \
      BOOLEAN_CONSTRAINT --project PROJECT_ID
    

    The output of the command will be:

    Deleted [<Empty>].
    

  4. Get the effective policy on the project to verify it's not enforced:

    gcloud beta resource-manager org-policies describe \
      BOOLEAN_CONSTRAINT --effective \
      --project PROJECT_ID
    

    Where the PROJECT_ID is the unique identifier of your project. The output of the command will be:

    booleanPolicy: {}
    constraint: constraints/BOOLEAN_CONSTRAINT
    

Was this page helpful? Let us know how we did:

Send feedback about...

Resource Manager Documentation