Limiting target types

In some situations it might be preferable to limit the job target type. To do this, administrators who have the Organization Policy Administrator role can configure a policy to control what kind of job targets (HTTP, Pub/Sub, and/or App Engine HTTP) can be created in their organization.

Console

  1. Visit the Organization policies page of the IAM & Admin section.

    IAM & Admin

  2. From the top left dropdown, select the resource (organization or project) to which you wish to apply the constraint.

  3. Select Allowed target types for jobs from the list of Organization Policies.

  4. On the policy page, click the Edit button.

  5. Under Rules, open Add Rule

    1. Select Custom for Policy values.

    2. Select Allow for Policy type.

    3. Add the type (PUBSUB, HTTP, or APPENGINE) to allowlist.

    4. Click on New Policy Value to add multiple job types.

    5. Save to enforce the policy.

Gcloud

  • To see the value of the constraint in an existing policy:

      gcloud resource-manager org-policies describe cloudscheduler.allowedTargetTypes --RESOURCE_TYPE=RESOURCE_ID
      

    Where RESOURCE_TYPE is either project, folder, or organization, depending on where in the hierarchy the policy is attached.

    Which should return something like this:

      constraint: constraints/cloudscheduler.allowedTargetTypes
      etag: ETAG_VALUE
      listPolicy:
        allowedValues:
        - PUBSUB
      updateTime: '2021-09-04T15:30:45.313018Z'
    Make a note of the ETAG_VALUE for the next step.

  • To create a policy.yaml file with the constraint:

      cat >policy.yaml
      constraint: constraints/cloudscheduler.allowedTargetTypes --RESOURCE_TYPE=RESOURCE_ID
      etag: ETAG_VALUE
      listPolicy:
        allowedValues:
        - PUBSUB

  • To set the policy:

      gcloud resource-manager org-policies set-policy --RESOURCE_TYPE=RESOURCE_ID policy.yaml

  • To delete the constraint:

      gcloud resource-manager org-policies delete --RESOURCE_TYPE=RESOURCE_ID
      constraints/cloudscheduler.allowedTargetTypes