Managing dry run configurations

This page describes how you can manage the dry run configuration for your service perimeters. For information about managing service perimeters generally, see Managing service perimeters.

Before you begin

Enforcing a dry run configuration

When you're satisfied with the dry run configuration for a service perimeter, you can enforce that configuration. When a dry run configuration is enforced, it replaces the current enforced configuration for a perimeter, if one exists. If an enforced version of the perimeter doesn't exist, the dry run configuration is used as the initial enforced configuration for the perimeter.

After you update a service perimeter, it may take up to 30 minutes for the changes to propagate and take effect.

Console

  1. In the Google Cloud Console navigation menu, click Security, and then click VPC Service Controls.

    Go to the VPC Service Controls page

  2. At the top of the VPC Service Controls page, click Dry Run Mode.

  3. In the list of service perimeters, click the name of the service perimeter that you want to enforce.

  4. On the VPC Service Perimeter Detail page, in the Dry run config section, click Enforce.

  5. When you are asked to confirm that you want to overwrite your existing enforced configuration, click Enforce.

gcloud

You can use the gcloud command-line tool to enforce the dry configuration for an individual perimeter, as well as for all of your perimeters simultaneously.

Enforce one dry run configuration

To enforce the dry run configuration for a single perimeter, use the dry-run enforce command:

gcloud access-context-manager perimeters dry-run enforce PERIMETER_NAME \
  [--policy=POLICY_NAME]

Where:

  • PERIMETER_NAME is the name of the service perimeter that you want to obtain details about.

  • POLICY_NAME is the name of your organization's access policy. This value is required only if you haven't set a default access policy.

Enforce all dry run configurations

To enforce the dry run configuration for all of your perimeters, use the dry-run enforce-all command:

gcloud access-context-manager perimeters dry-run enforce-all \
  [--etag=ETAG]
  [--policy=POLICY_NAME]

Where:

  • PERIMETER_NAME is the name of the service perimeter that you want to obtain details about.

  • ETAG is a string that represents the target version of your organization's access policy. If you do not include an etag, the enforce-all operation targets the latest version of the your organization's access policy.

    To obtain the latest etag of your access policy, list your access policies.

  • POLICY_NAME is the name of your organization's access policy. This value is required only if you haven't set a default access policy.

API

To enforce the dry run configuration for all of your perimeters, call accessPolicies.servicePerimeters.commit.

Updating a dry run configuration

When you update a dry run configuration, you can modify the list of services, projects, and VPC accessible services, among other features of the perimeter.

After you update a service perimeter, it may take up to 30 minutes for the changes to propagate and take effect.

Console

  1. In the Google Cloud Console navigation menu, click Security, and then click VPC Service Controls.

    Go to the VPC Service Controls page

  2. At the top of the VPC Service Controls page, click Dry Run Mode.

  3. In the list of service perimeters, click the name of the service perimeter that you want to edit.

  4. On the VPC Service Perimeter Detail page, in the Dry run config section, click Edit.

  5. On the Edit VPC Service Perimeter page, make changes to the dry run configuration for the service perimeter.

  6. Click Save.

gcloud

To add new projects to a perimeter, use the dry-run update command and specify the resources to add:

gcloud access-context-manager perimeters dry-run update PERIMETER_NAME \
  --add-resources=PROJECTS \
  [--policy=POLICY_NAME]

Where:

  • PERIMETER_NAME is the name of the service perimeter that you want to obtain details about.

  • PROJECTS is a comma-delimited list of one or more project IDs. For example: projects/100712 or projects/100712,projects/233130.

  • POLICY_NAME is the name of your organization's access policy. This value is required only if you haven't set a default access policy.

To update the list of restricted services, use the dry-run update command and specify the services to add as a comma-delimited list:

gcloud access-context-manager perimeters dry-run update PERIMETER_ID \
  --add-restricted-services=SERVICES \
  [--policy=POLICY_NAME]

Where:

  • PERIMETER_NAME is the name of the service perimeter that you want to obtain details about.

  • SERVICES is a comma-delimited list of one or more services. For example: storage.googleapis.com or storage.googleapis.com,bigquery.googleapis.com.

  • POLICY_NAME is the name of your organization's access policy. This value is required only if you haven't set a default access policy.