Stay organized with collectionsSave and categorize content based on your preferences.
To validate its attestation token, Confidential Space needs to download
certificates from Cloud Storage buckets. If these buckets reside outside
your perimeter, you must configure the following egress rule:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eConfidential Space requires downloading certificates from Cloud Storage buckets, necessitating an egress rule for \u003ccode\u003estorage.googleapis.com\u003c/code\u003e with \u003ccode\u003egoogle.storage.objects.get\u003c/code\u003e method access to projects \u003ccode\u003e870449385679\u003c/code\u003e and \u003ccode\u003e180376494128\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003ecloud-shielded-ca-prod\u003c/code\u003e (project \u003ccode\u003e870449385679\u003c/code\u003e) project contains attestation certificates, while \u003ccode\u003ecloud-shielded-ca-prod-root\u003c/code\u003e (project \u003ccode\u003e180376494128\u003c/code\u003e) contains root certificates.\u003c/p\u003e\n"],["\u003cp\u003eIf the Compute Engine API is within a restricted perimeter, an egress rule must be created for \u003ccode\u003ecompute.googleapis.com\u003c/code\u003e, specifically allowing the \u003ccode\u003eInstancesService.Insert\u003c/code\u003e method to project \u003ccode\u003e30229352718\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eThe project \u003ccode\u003econfidential-space-images\u003c/code\u003e (project \u003ccode\u003e30229352718\u003c/code\u003e) houses the Confidential Space VM images.\u003c/p\u003e\n"]]],[],null,["# VPC Service Controls\n\n*** ** * ** ***\n\nTo validate its attestation token, Confidential Space needs to download certificates from Cloud Storage buckets. If these buckets reside outside your perimeter, you must configure the following egress rule:\n\n\u003cbr /\u003e\n\n - egressTo:\n operations:\n - serviceName: storage.googleapis.com\n methodSelectors:\n - method: google.storage.objects.get\n resources:\n - projects/870449385679\n - projects/180376494128\n egressFrom:\n identityType: ANY_IDENTITY\n\nThe following table lists the projects containing the necessary certificates:\n\nIf the Compute Engine API is restricted by your service perimeter, you must\ncreate the following egress rule: \n\n - egressTo:\n operations:\n - serviceName: compute.googleapis.com\n methodSelectors:\n - method: InstancesService.Insert\n resources:\n - projects/30229352718\n egressFrom:\n identityType: ANY_IDENTITY\n\nThe following table lists the project necessary to fetch Confidential Space VM\nimages:"]]
