This predefined role contains
the permissions required to manage organization policies. To see the exact permissions that are
required, expand theRequired permissionssection:
Required permissions
The following permissions are required to manage organization policies:
Click the switcher box at the top of the page, and choose the organization
to apply the constraint to. To apply the constraint to a project, select a
project instead.
In the filter box, enterrestrict non-confidential computing, and then
click theRestrict Non-Confidential Computingpolicy.
On thePolicy detailspage forRestrict Non-Confidential Computing,
clickeditManage policy.
In theApplies tosection, clickCustomize.
In thePolicy enforcementsection, choose one of the following
options:
Merge with parent.Merge your new policy setting with that of a
parent organization.
Replace.Replace the current policy setting and ignore that of the
parent organization.
In theRulessection, clickAdd a rule.
In thePolicy valuesbox, selectCustom, and set thePolicy typetoDeny.
In theCustom valuesbox, entercompute.googleapis.comas theAPI service nameyou want to
enforce the policy on.
Click the switcher box at the top of the page, and choose the organization
to apply the constraint to. To apply the constraint to a project, select a
project instead.
In the filter box, enterrestrict non-confidential computing, and then
click theRestrict Non-Confidential Computingpolicy.
On thePolicy detailspage forRestrict Non-Confidential Computing,
clickeditManage policy.
Click the rule to expand it.
In thePolicy valuesbox, selectAllow all, and then clickDone.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eYou can enforce the creation of only Confidential VM instances within your organization by using an organization policy constraint.\u003c/p\u003e\n"],["\u003cp\u003eManaging organization policies requires specific permissions, which are included in the Organization Policy Administrator IAM role, or can be configured in custom roles.\u003c/p\u003e\n"],["\u003cp\u003eThe constraint 'Restrict Non-Confidential Computing' can be enabled or disabled via the Google Cloud console or the gcloud command-line tool at the organization or project level.\u003c/p\u003e\n"],["\u003cp\u003eTo enable the constraint, set the policy type to 'Deny' and specify the API service name \u003ccode\u003ecompute.googleapis.com\u003c/code\u003e in the policy rules.\u003c/p\u003e\n"],["\u003cp\u003eTo verify the policy is working, attempt to create a VM instance and confirm that the Confidential VM service policy is being enforced.\u003c/p\u003e\n"]]],[],null,["# Enforce Confidential VM use\n\nTo make sure all VM instances created in your organization are Confidential VM\ninstances, you can use an\n[organization policy constraint](/resource-manager/docs/organization-policy/org-policy-constraints).\n\nRequired roles\n--------------\n\n\nTo get the permissions that\nyou need to manage organization policies,\n\nask your administrator to grant you the\n\n\n[Organization Policy Administrator](/iam/docs/roles-permissions/orgpolicy#orgpolicy.policyAdmin) (`roles/orgpolicy.policyAdmin`)\nIAM role on the organization.\n\n\nFor more information about granting roles, see [Manage access to projects, folders, and organizations](/iam/docs/granting-changing-revoking-access).\n\n\nThis predefined role contains\n\nthe permissions required to manage organization policies. To see the exact permissions that are\nrequired, expand the **Required permissions** section:\n\n\n#### Required permissions\n\nThe following permissions are required to manage organization policies:\n\n- ` orgpolicy.constraints.list `\n- ` orgpolicy.policies.create `\n- ` orgpolicy.policies.delete `\n- ` orgpolicy.policies.list `\n- ` orgpolicy.policies.update `\n- ` orgpolicy.policy.get `\n- ` orgpolicy.policy.set`\n\n\nYou might also be able to get\nthese permissions\nwith [custom roles](/iam/docs/creating-custom-roles) or\nother [predefined roles](/iam/docs/roles-overview#predefined).\n\nEnable the constraint\n---------------------\n\nTo enable the constraint on VM instances, complete the following instructions: \n\n### Console\n\n1. In the Google Cloud console, go to the **Organization policies** page:\n\n [Go to Organization policies](https://console.cloud.google.com/iam-admin/orgpolicies/list)\n2. Click the switcher box at the top of the page, and choose the organization\n to apply the constraint to. To apply the constraint to a project, select a\n project instead.\n\n3. In the filter box, enter `restrict non-confidential computing`, and then\n click the **Restrict Non-Confidential Computing** policy.\n\n4. On the **Policy details** page for **Restrict Non-Confidential Computing** ,\n click\n edit\n **Manage policy**.\n\n | **Note:** If edit **Manage policy** is disabled, you don't have [permission to set organization policy](#required-roles).\n5. In the **Applies to** section, click **Customize**.\n\n6. In the **Policy enforcement** section, choose one of the following\n options:\n\n - **Merge with parent.** Merge your new policy setting with that of a\n parent organization.\n\n - **Replace.** Replace the current policy setting and ignore that of the\n parent organization.\n\n7. In the **Rules** section, click **Add a rule**.\n\n8. In the **Policy values** box, select **Custom** , and set the\n **Policy type** to **Deny**.\n\n9. In the **Custom values** box, enter `compute.googleapis.com` as the\n [API service name](/apis/design/glossary#api_service_name) you want to\n enforce the policy on.\n\n10. Click **Done**.\n\n11. Click **Set policy**.\n\n### gcloud\n\n gcloud resource-manager org-policies deny \\\n constraints/compute.restrictNonConfidentialComputing compute.googleapis.com \\\n --organization=\u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e\n\nProvide the following value:\n\n- \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e: The ID of the organization to add the\n constraint to.\n\n\n How to find a Google Cloud organization ID\n\n ### Console\n\n To find a Google Cloud organization ID, complete the following steps:\n 1. Go to the Google Cloud console.\n\n\n [Go to the Google Cloud console](https://console.cloud.google.com/)\n 2. Click the **switcher** box in the menu bar.\n 3. Click the **Select from** box, and then select your organization.\n 4. Click the **All** tab. The organization ID is shown next to the organization name.\n\n ### gcloud CLI\n\n You can retrieve a Google Cloud organization ID with the following command: \n\n ```bash\n gcloud organizations describe ORGANIZATION_NAME --format=\"value(name.segment(1))\"\n ```\n\n \u003cbr /\u003e\n\nTo apply the constraint at the project level instead of the organization\nlevel, use `--project=`\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e instead of\n`--organization=`\u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e.\n\nAlternatively, you can set policies with a policy file using\n[`set-policy` commands](/sdk/gcloud/reference/resource-manager/org-policies/set-policy).\n\nVerify the constraint\n---------------------\n\nTo verify the constraint:\n\n1. In the Google Cloud console, go to the **VM instances** page.\n\n [Go to VM instances](https://console.cloud.google.com/compute/instances)\n2. Click the project selector at the top of the page, and choose a project\n to create a VM in.\n\n3. Click **Create instance**.\n\n4. In the **Confidential VM service** section, verify that your policy is\n enforced.\n\n| **Note:** Organization policies can take a moment to propagate. If you don't see the change, wait a few moments, and then try again.\n\nDisable the constraint\n----------------------\n\nTo disable the constraint, complete the following instructions: \n\n### Console\n\n1. In the Google Cloud console, go to the **Organization policies** page:\n\n [Go to Organization policies](https://console.cloud.google.com/iam-admin/orgpolicies/list)\n2. Click the switcher box at the top of the page, and choose the organization\n to apply the constraint to. To apply the constraint to a project, select a\n project instead.\n\n3. In the filter box, enter `restrict non-confidential computing`, and then\n click the **Restrict Non-Confidential Computing** policy.\n\n4. On the **Policy details** page for **Restrict Non-Confidential Computing** ,\n click\n edit\n **Manage policy**.\n\n | **Note:** If edit **Manage policy** is disabled, you don't have [permission to set organization policy](#required-roles).\n5. Click the rule to expand it.\n\n6. In the **Policy values** box, select **Allow all** , and then click\n **Done**.\n\n7. Click **Set policy**.\n\n### gcloud\n\n gcloud resource-manager org-policies delete \\\n constraints/compute.restrictNonConfidentialComputing \\\n --organization=\u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e\n\nProvide the following value:\n\n- \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e: The ID of the organization to delete the\n constraint from.\n\n\n How to find a Google Cloud organization ID\n\n ### Console\n\n To find a Google Cloud organization ID, complete the following steps:\n 1. Go to the Google Cloud console.\n\n\n [Go to the Google Cloud console](https://console.cloud.google.com/)\n 2. Click the **switcher** box in the menu bar.\n 3. Click the **Select from** box, and then select your organization.\n 4. Click the **All** tab. The organization ID is shown next to the organization name.\n\n ### gcloud CLI\n\n You can retrieve a Google Cloud organization ID with the following command: \n\n ```bash\n gcloud organizations describe ORGANIZATION_NAME --format=\"value(name.segment(1))\"\n ```\n\n \u003cbr /\u003e\n\nTo delete the constraint at the project level instead of the organization\nlevel, use `--project=`\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e instead of\n`--organization=`\u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e.\n\nAlternatively, you can set policies with a policy file using\n[`set-policy` commands](/sdk/gcloud/reference/resource-manager/org-policies/set-policy).\n\nWhat's next\n-----------\n\nTo learn more about the core concepts of organization policy:\n\n- Read the\n [overview of organization policy](/resource-manager/docs/organization-policy/overview).\n\n- Read about\n [what constraints are](/resource-manager/docs/organization-policy/understanding-constraints).\n\n- Read about\n [the available organization policy constraints](/resource-manager/docs/organization-policy/org-policy-constraints).\n\n- Read how to\n [use constraints to create organization policies](/resource-manager/docs/organization-policy/using-constraints)."]]
