This page describes how Google Cloud administrators can test organization restrictions without having to configure an egress proxy.
To create and test the organization restrictions header, do the following:
To get the Google Cloud organization ID of the organization, use the
gcloud organizations list
command:gcloud organizations list
The following is the example output:
DISPLAY_NAME: Organization A ID: 123456789 DIRECTORY_CUSTOMER_ID: a1b2c3d4
After you get the organization ID, compose the JSON representation for the header value in the following format:
{ "resources": ["organizations/123456789"], "options": "strict" }
Encode the value for the request header by following the RFC 4648 Section 5 specifications.
For example, if the JSON representation for the header value is stored in the
authorized_orgs.json
file, the following is the encoding through basenc:$ OR_HEADER=`cat authorized_orgs.json | basenc --base64url -w0` $ echo $OR_HEADER ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiXQogIm9wdGlvbnMiOiAic3RyaWN0Igp9Cgo=
To test whether header configuration allows access to a resource within an authorized Google Cloud organization, create a curl request to a resource within an authorized Google Cloud organization. Here is an example curl request:
# Get auth token $ TOKEN=$(gcloud auth print-access-token) # Make a request that includes the organization restriction header; this call makes a request to the logging API for a project within the same organization listed in the header $ curl -H "X-Goog-Allowed-Resources: ${OR_HEADER}" -X POST -d '{"projectIds": ["my-project-123"]}' -H 'Content-Type: application/json' -H "Authorization: Bearer ${TOKEN}" "https://logging.googleapis.com/v2/entries:list" # A successful request returns log entries in this project
To test whether header configuration denies access to a resource that is outside the authorized Google Cloud organization, create a curl request to a resource outside an authorized Google Cloud organization. Here is an example curl request:
# Get auth token $ TOKEN=$(gcloud auth print-access-token) # Make a request that includes the organization restriction header; this call makes a request to the logging API for a project not within the same organization listed in the header $ curl -H "X-Goog-Allowed-Resources: ${OR_HEADER}" -X POST -d '{"projectIds": ["other-project-123"]}' -H 'Content-Type: application/json' -H "Authorization: Bearer ${TOKEN}" "https://logging.googleapis.com/v2/entries:list" { "error": { "code": 403, "message": "Access denied by organization restriction. Contact your administrator for additional information.", "status": "PERMISSION_DENIED", "details": [ { "@type": "type.googleapis.com/google.rpc.ErrorInfo", "reason": "ORG_RESTRICTION_VIOLATION", "domain": "googleapis.com", "metadata": { "service": "logging.googleapis.com", "consumer": "other-project-123" } } ] } }
An access denied error message indicates that the request to the resource is denied.
What's next
- Learn about using organization restrictions.
- Learn about the services supported by organization restrictions.