This page describes the prerequisites for egress proxy configuration, how to get the organization ID, add the organization restrictions header, and configure the proxy with the list of target URLs.
Google Cloud administrators, who administer Google Cloud, and egress proxy administrators who configure the egress proxy must work together to configure organization restrictions. For information about partner solutions that are validated with organization restrictions, see Validated partner solutions.
Before you begin
If you're an egress proxy administrator, before you configure the egress proxy to add the organization restrictions header, you must complete the following prerequisites:
If the Google Cloud administrator and egress proxy administrator roles are different in your organization, ensure that the Google Cloud administrator engages with the egress proxy administrator to configure the egress proxy.
Configure your organization firewall rules or configure the managed devices to ensure that the outbound traffic from all users in your organization pass through the egress proxy.
Ensure that the egress proxy in your organization has the following features:
- Insert headers. Inserts a custom HTTP header to outbound requests traversing through the egress proxy.
- TLS inspection. If the traffic to the egress proxy is encrypted, the egress proxy must decrypt the packets, insert the header, and re-encrypt the packet before sending it to the target.
Filter and insert headers. Optional. Support one or more of the following filters and then add the header only for requests that match the filter condition:
- Target URLs. A list of target URLs that the egress proxy can match.
- Device IDs. A list of device IDs that the egress proxy can match. The device IDs must be propagated to the egress proxy.
- User IDs. A list of user IDs that the egress proxy can match. The user IDs must be propagated to the egress proxy.
Get the organization ID
As a Google Cloud administrator, you must get the Google Cloud organization ID so that it can be added to the organization restrictions header.
To find your organization resource ID, run the following command:
gcloud organizations list
This command lists all the organization resources to which you belong to, and their corresponding organization resource IDs.
After getting the organization ID, you can either add the organization restrictions header or engage with the egress proxy administrator to add the header.
Add the organization restrictions header
As an egress proxy administrator, to add the organization restrictions header to outbound requests, do the following:
- Create the header.
- Encode the header.
- Configure the egress proxy.
Create the header
Create the JSON representation for the header in the following format:
X-Goog-Allowed-Resources: HEADER_VALUE
HEADER_VALUE contains a comma-separated list of authorized Google Cloud
organization IDs. The value must then be encoded in web safe base64 encoding.
HEADER_VALUE has the following JSON structure:
{
"resources": [string,..],
"options": string
}
resources. A list of strings. Each string in this list must refer to a Google Cloud organization ID. Organization IDs in this list are considered authorized organizations during evaluation.options. A string that contains one of the following values:"strict". Enforces the organization restrictions header for all request types to the supported Google Cloud services."cloudStorageReadAllowed". Allows read requests to Cloud Storage but enforces organization restrictions header for all request types to the supported Google Cloud services. This option allows access for the following Cloud Storage read operations:storage.objects.getstorage.objects.liststorage.objects.getIamPolicystorage.buckets.getstorage.buckets.liststorage.buckets.getIamPolicy
To demonstrate this option, consider an example where Alex is the administrator
of Example Organization and Lee is an employee of this organization. Consider
a website such as altostrat.com that stores static content in public Cloud Storage
buckets and is outside Example Organization. If Alex uses
the strict option to restrict Lee's access only to Example Organization,
Lee is denied access to static content in altostrat.com, which exists in public
Cloud Storage buckets owned by altostrat.com. This behaviour impacts Lee's
ability to browse the website effectively and the same behavior is experienced
for any website that uses public Cloud Storage to store static content.
To enable Lee to view the static content in altostrat.com
and restrict all other Google Cloud access only to Example Organization,
Alex uses the cloudStorageReadAllowed option.
Here's an example of a valid organization restrictions header:
{
"resources": ["organizations/1234", "organizations/3456"],
"options": "strict"
}
Encode the header
Encode the organization IDs in web safe base64 format. The encoding must follow the RFC 4648 Section 5 specifications.
For example, if the JSON representation for the header value is stored in the
authorized_orgs.json file, to encode the file, run the following
basenc command:
$ cat authorized_orgs.json | basenc --base64url -w0
ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiLCAib3JnYW5pemF0aW9ucy8xMDExMTIxMzE0Il0sCiAib3B0aW9ucyI6ICJzdHJpY3QiCn0K
Here's an example header after encoding the organization ID:
// Encoded representation
X-Goog-Allowed-Resources: ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiLCAib3JnYW5pemF0aW9ucy8xMDExMTIxMzE0Il0sCiAib3B0aW9ucyI6ICJzdHJpY3QiCn0K
// Plain-text representation (As HTTP disallows some characters, encode the organization ID)
// Plain-text representation is included here only for readability
X-Goog-Allowed-Resources: {"resources": ["organizations/1234", "organizations/3456"], "options": "strict"}
Configure the egress proxy
To insert the header to requests originating from the managed devices, configure the egress proxy.
Ensure that if a Google Cloud user in your organization explicitly supplies an HTTP header, the egress proxy overrides the user-supplied values with the values provided by Google Cloud administrator.
To avoid adding this header to targets outside of Google Cloud, configure the egress proxy to add the organization restrictions header to requests only with the following targets:
*.google.com*.googleapis.com*.gcr.io*.pkg.dev*.cloudfunctions.net*.run.app*.tunnel.cloudproxy.app*.datafusion.googleusercontent.com
For information about error messages that occur due to organization restrictions violations, see error messages.
What's next
- Learn about using organization restrictions.