Test an organization restrictions header before configuring an egress proxy

This page describes how Google Cloud administrators can test organization restrictions without having to configure an egress proxy.

To create and test the organization restrictions header, do the following:

  1. To get the Google Cloud organization ID of the organization, use the gcloud organizations list command:

        gcloud organizations list
    

    The following is the example output:

        DISPLAY_NAME: Organization A
        ID: 123456789
        DIRECTORY_CUSTOMER_ID: a1b2c3d4
    
  2. After you get the organization ID, compose the JSON representation for the header value in the following format:

     {
     "resources": ["organizations/123456789"],
      "options": "strict"
     }
    
  3. Encode the value for the request header by following the RFC 4648 Section 5 specifications.

    For example, if the JSON representation for the header value is stored in the authorized_orgs.json file, the following is the encoding through basenc:

     $ OR_HEADER=`cat authorized_orgs.json | basenc --base64url -w0`
     $ echo $OR_HEADER
    ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiXQogIm9wdGlvbnMiOiAic3RyaWN0Igp9Cgo=
    
  4. To test whether header configuration allows access to a resource within an authorized Google Cloud organization, create a curl request to a resource within an authorized Google Cloud organization. Here is an example curl request:

    # Get auth token
    $ TOKEN=$(gcloud auth print-access-token)
    
    # Make a request that includes the organization restriction header; this call makes a request to the logging API for a project within the same organization listed in the header
    $ curl -H "X-Goog-Allowed-Resources: ${OR_HEADER}" -X POST -d '{"projectIds":
    ["my-project-123"]}' -H 'Content-Type: application/json' -H "Authorization: Bearer ${TOKEN}" "https://logging.googleapis.com/v2/entries:list"
    # A successful request returns log entries in this project
    
  5. To test whether header configuration denies access to a resource that is outside the authorized Google Cloud organization, create a curl request to a resource outside an authorized Google Cloud organization. Here is an example curl request:

    # Get auth token
    $ TOKEN=$(gcloud auth print-access-token)
    
    # Make a request that includes the organization restriction header; this call makes a request to the logging API for a project not within the same organization listed in the header
    $ curl -H "X-Goog-Allowed-Resources: ${OR_HEADER}" -X POST -d '{"projectIds": ["other-project-123"]}' -H 'Content-Type: application/json' -H "Authorization: Bearer ${TOKEN}" "https://logging.googleapis.com/v2/entries:list" 
    {
      "error": {
     "code": 403,
        "message": "Access denied by organization restriction. Contact your administrator for additional information.",
        "status": "PERMISSION_DENIED",
        "details": [
          {
            "@type": "type.googleapis.com/google.rpc.ErrorInfo",
            "reason": "ORG_RESTRICTION_VIOLATION",
            "domain": "googleapis.com",
            "metadata": {
              "service": "logging.googleapis.com",
              "consumer": "other-project-123"
            }
          }
        ]
      }
    }
    
    

    An access denied error message indicates that the request to the resource is denied.

What's next