Managing service perimeters

This page describes how you can manage service perimeters in VPC Service Controls. For details on creating new service perimeters, see Creating Service Perimeters.

Before you begin

If you are using the gcloud command-line tool or the Access Context Manager API to manage your service perimeters, you will need the name of your Organization's access policy. To obtain the access policy name, refer to the Access Context Manager documentation.

List and describe service perimeters

List all service perimeters in an Organization:

Console

  1. In the Google Cloud Console navigation menu, click Security, and then click VPC Service Controls.

    Go to the VPC Service Controls page

  2. On the VPC Service Controls page, in the table, click the name of the service perimeter that you want to view.

gcloud

To list your organization's service perimeters, use the list command:

gcloud access-context-manager perimeters list \
  --policy=POLICY_NAME

Where:

  • POLICY_NAME is the numeric name of your organization's access policy. For example, 330193482019.

You should see a list of the perimeters for your organization. For example:

NAME           TITLE
ProdPerimeter  Production Perimeter

To view details about a service perimeter, use the describe command:

gcloud access-context-manager perimeters \
  describe PERIMETER_NAME \
  --policy=POLICY_NAME

Where:

  • PERIMETER_NAME is the name of the service perimeter that you want to obtain details about.

  • POLICY_NAME is the numeric name of your organization's access policy. For example, 330193482019.

You should see the details about the perimeter. For example:

accessLevels:
- accessPolicies/626111171578/accessLevels/corpAccess
resources:
- projects/111584792408
restrictedServices:
- bigquery.googleapis.com
- storage.googleapis.com
title: Production Perimeter

Updating a service perimeter

You can add new Google Cloud projects to, or remove projects from a service perimeter. You can change the list of restricted Google Cloud services. You can also change the Title and Description for a service perimeter. To do so, you need to provide the full list of resources.

This section describes how to update individual service perimeters. To update all of your organization's service perimeters in one operation, see Making bulk changes to service perimeters.

After you update a service perimeter, it may take up to 30 minutes for the changes to propagate and take effect.

Console

  1. In the Google Cloud Console navigation menu, click Security, and then click VPC Service Controls.

    Go to the VPC Service Controls page

  2. On the VPC Service Controls page, in the table, click the name of the service perimeter that you want to modify.

  3. On the Edit VPC Service Perimeter page, update the service perimeter.

  4. Click Save.

gcloud

To add new projects to a perimeter, use the update command and specify the resources to add:

gcloud access-context-manager perimeters update PERIMETER_NAME \
  --add-resources=PROJECTS \
  --policy=POLICY_NAME

Where:

  • PERIMETER_NAME is the name of the service perimeter that you want to obtain details about.

  • PROJECTS is a comma-delimited list of one or more project IDs. For example: projects/100712 or projects/100712,projects/233130.

  • POLICY_NAME is the numeric name of your organization's access policy. For example, 330193482019.

To update the list of restricted services, use the update command and specify the services to add as a comma-delimited list:

gcloud access-context-manager perimeters update PERIMETER_ID \
  --add-restricted-services=SERVICES \
  --policy=POLICY_NAME

Where:

  • PERIMETER_NAME is the name of the service perimeter that you want to obtain details about.

  • SERVICES is a comma-delimited list of one or more services. For example: storage.googleapis.com or storage.googleapis.com,bigquery.googleapis.com.

  • POLICY_NAME is the numeric name of your organization's access policy. For example, 330193482019.

Adding an access level to an existing perimeter

Once you have created an access level, you can apply it to a service perimeter to control access.

After you update a service perimeter, it may take up to 30 minutes for the changes to propagate and take effect.

Console

  1. In the Google Cloud Console navigation menu, click Security, and then click VPC Service Controls.

    Go to the VPC Service Controls page

  2. On the VPC Service Controls page, in the table, click the name of the service perimeter that you want to modify.

  3. On the Edit VPC Service Perimeter page, click the Choose Access Level box.

  4. Select the checkboxes corresponding to the access levels that you want to apply to the service perimeter.

  5. Click Save.

gcloud

To add an access level to an existing service perimeter, use the update command:

gcloud access-context-manager perimeters update PERIMETER_NAME \
  --add-access-levels=LEVEL_NAME \
  --policy=POLICY_NAME

Where:

  • PERIMETER_NAME is the name of your service perimeter.

  • LEVEL_NAME is the name of the access level that you want to add to the perimeter.

  • POLICY_NAME is the numeric name of your organization's access policy. For example, 330193482019.

Deleting a service perimeter

When you delete a service perimeter, the security controls associated with the perimeter no longer apply to the associated Google Cloud projects. There isn't any other impact to the member Google Cloud projects or associated resources.

Console

  1. In the Google Cloud Console navigation menu, click Security, and then click VPC Service Controls.

    Go to the VPC Service Controls page

  2. On the VPC Service Controls page, in the table row for the perimeter that you want to delete, click the button.

gcloud

To delete a service perimeter, use the delete command:

gcloud access-context-manager perimeters delete PERIMETER_NAME \
  --policy=POLICY_NAME

Where:

  • PERIMETER_NAME is the name of your service perimeter.

  • POLICY_NAME is the numeric name of your organization's access policy. For example, 330193482019.