[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-04 (世界標準時間)。"],[],[],null,["# Test an organization restrictions header before configuring an egress proxy\n\nThis page describes how Google Cloud administrators can test organization restrictions\nwithout having to configure an egress proxy.\n\nTo create and test the organization restrictions header, do the following:\n\n1. To get the Google Cloud organization ID of the organization, use the [`gcloud organizations list` command](/sdk/gcloud/reference/organizations/list):\n\n gcloud organizations list\n\n The following is the example output: \n\n ```\n DISPLAY_NAME: Organization A\n ID: 123456789\n DIRECTORY_CUSTOMER_ID: a1b2c3d4\n ```\n2. After you get the organization ID, compose the JSON representation for the header\n value in the following format:\n\n {\n \"resources\": [\"organizations/123456789\"],\n \"options\": \"strict\"\n }\n\n3. Encode the value for the request header by following the [RFC 4648 Section 5 specifications](https://datatracker.ietf.org/doc/html/rfc4648#section-5).\n\n For example, if the JSON representation for the header value is stored in the\n `authorized_orgs.json` file, the following is the encoding through [basenc](https://man7.org/linux/man-pages/man1/basenc.1.html): \n\n $ OR_HEADER=`cat authorized_orgs.json | basenc --base64url -w0`\n $ echo $OR_HEADER\n ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiXQogIm9wdGlvbnMiOiAic3RyaWN0Igp9Cgo=\n\n4. To test whether header configuration allows access to a resource within an authorized\n Google Cloud organization, create a curl request to a resource within an authorized\n Google Cloud organization.\n Here is an example curl request:\n\n # Get auth token\n $ TOKEN=$(gcloud auth print-access-token)\n\n # Make a request that includes the organization restriction header; this call makes a request to the logging API for a project within the same organization listed in the header\n $ curl -H \"X-Goog-Allowed-Resources: ${OR_HEADER}\" -X POST -d '{\"projectIds\":\n [\"my-project-123\"]}' -H 'Content-Type: application/json' -H \"Authorization: Bearer ${TOKEN}\" \"https://logging.googleapis.com/v2/entries:list\"\n # A successful request returns log entries in this project\n\n5. To test whether header configuration denies access to a resource that is outside the authorized\n Google Cloud organization, create a curl request to a resource outside an authorized\n Google Cloud organization.\n Here is an example curl request:\n\n # Get auth token\n $ TOKEN=$(gcloud auth print-access-token)\n\n # Make a request that includes the organization restriction header; this call makes a request to the logging API for a project not within the same organization listed in the header\n $ curl -H \"X-Goog-Allowed-Resources: ${OR_HEADER}\" -X POST -d '{\"projectIds\": [\"other-project-123\"]}' -H 'Content-Type: application/json' -H \"Authorization: Bearer ${TOKEN}\" \"https://logging.googleapis.com/v2/entries:list\" \n {\n \"error\": {\n \"code\": 403,\n \"message\": \"Access denied by organization restriction. Contact your administrator for additional information.\",\n \"status\": \"PERMISSION_DENIED\",\n \"details\": [\n {\n \"@type\": \"type.googleapis.com/google.rpc.ErrorInfo\",\n \"reason\": \"ORG_RESTRICTION_VIOLATION\",\n \"domain\": \"googleapis.com\",\n \"metadata\": {\n \"service\": \"logging.googleapis.com\",\n \"consumer\": \"other-project-123\"\n }\n }\n ]\n }\n }\n\n An access denied error message indicates that the request to the resource is denied.\n\nWhat's next\n-----------\n\n- Learn about [using organization restrictions](/resource-manager/docs/organization-restrictions/examples-org-restrictions).\n- Learn about the [services supported by organization restrictions](/resource-manager/docs/organization-restrictions/supported-services)."]]
