This page describes how you can manage the dry run configuration for your service perimeters. For information about managing service perimeters generally, see Managing service perimeters .
Before you begin
-
Read Dry run mode
-
Set your default access policy for using the
gcloudcommand-line tool.-or-
Get the name of your policy. The policy name is required for commands using the
gcloudcommand-line tool and making API calls. If you set a default access policy, you do not need to specify the policy for thegcloudcommand-line tool.
Enforcing a dry run configuration
When you're satisfied with the dry run configuration for a service perimeter, you can enforce that configuration. When a dry run configuration is enforced, it replaces the current enforced configuration for a perimeter, if one exists. If an enforced version of the perimeter doesn't exist, the dry run configuration is used as the initial enforced configuration for the perimeter.
After you update a service perimeter, it may take up to 30 minutes for the
changes to propagate and take effect. During this time, the perimeter might block
requests with the following error message: Error 403: Request is prohibited by organization's policy.
Console
-
In the Google Cloud console navigation menu, click Security, and then click VPC Service Controls.
-
On the VPC Service Controlspage, click Dry run mode.
-
In the list of service perimeters, click the name of the service perimeter that you want to enforce.
-
On the Service perimeter detailspage, click Enforce config.
-
When you are asked to confirm that you want to overwrite your existing enforced configuration, click Confirm.
gcloud
You can use the gcloud
command-line tool to enforce the dry configuration for an individual
perimeter, as well as for all of your perimeters simultaneously.
Enforce one dry run configuration
To enforce the dry run configuration for a single
perimeter, use the dry-run enforce
command:
gcloud
access-context-manager
perimeters
dry-run
enforce
PERIMETER_NAME
\
[
--policy =
POLICY_NAME
]
Where:
-
PERIMETER_NAME is the name of the service perimeter that you want to obtain details about.
-
POLICY_NAME is the name of your organization's access policy. This value is required only if you haven't set a default access policy .
Enforce all dry run configurations
To enforce the dry run configuration for all
of your perimeters, use the dry-run enforce-all
command:
gcloud
access-context-manager
perimeters
dry-run
enforce-all
\
[
--etag =
ETAG
]
[
--policy =
POLICY_NAME
]
Where:
-
PERIMETER_NAME is the name of the service perimeter that you want to obtain details about.
-
ETAG is a string that represents the target version of your organization's access policy. If you do not include an etag, the
enforce-alloperation targets the latest version of the your organization's access policy.To obtain the latest etag of your access policy,
listyour access policies . -
POLICY_NAME is the name of your organization's access policy. This value is required only if you haven't set a default access policy .
API
To enforce the dry run configuration for all
of
your perimeters, call accessPolicies.servicePerimeters.commit
.
Updating a dry run configuration
When you update a dry run configuration, you can modify the list of services, projects, and VPC accessible services, among other features of the perimeter.
After you update a service perimeter, it may take up to 30 minutes for the
changes to propagate and take effect. During this time, the perimeter might block
requests with the following error message: Error 403: Request is prohibited by organization's policy.
Console
-
In the Google Cloud console navigation menu, click Security, and then click VPC Service Controls.
-
On the VPC Service Controlspage, click Dry run mode.
-
In the list of service perimeters, click the name of the service perimeter that you want to edit.
-
On the Service perimeter detailspage, click Edit.
-
On the Edit service perimeterpage, make changes to the dry run configuration of the service perimeter.
-
Click Save.
gcloud
To add new projects to a perimeter, use the dry-run update
command and
specify the resources to add:
gcloud
access-context-manager
perimeters
dry-run
update
PERIMETER_NAME
\
--add-resources =
RESOURCES
\
[
--policy =
POLICY_NAME
]
Where:
-
PERIMETER_NAME is the name of the service perimeter that you want to obtain details about.
-
RESOURCES is a comma-separated list of one or more project numbers or VPC network names. For example:
projects/12345or//compute.googleapis.com/projects/my-project/global/networks/vpc1. Only projects and VPC networks are allowed. Project format:projects/<project_number>. VPC format://compute.googleapis.com/projects/<project-id>/global/networks/<network_name>. -
POLICY_NAME is the name of your organization's access policy. This value is required only if you haven't set a default access policy .
To update the list of restricted services, use the dry-run update
command
and specify the services to add as a comma-delimited list:
gcloud
access-context-manager
perimeters
dry-run
update
PERIMETER_ID
\
--add-restricted-services =
SERVICES
\
[
--policy =
POLICY_NAME
]
Where:
-
PERIMETER_NAME is the name of the service perimeter that you want to obtain details about.
-
SERVICES is a comma-delimited list of one or more services. For example:
storage.googleapis.comorstorage.googleapis.com,bigquery.googleapis.com. -
POLICY_NAME is the name of your organization's access policy. This value is required only if you haven't set a default access policy .
Identifying blocked requests
After you have created a dry run configuration, you can review logs to identify where the dry run configuration would deny access to services if enforced.
Console
-
In the Google Cloud console navigation menu, click Logging, and then click Logs Explorer.
-
In the Queryfield, input a query filter like the following filter, and then click Run query.
log_id("cloudaudit.googleapis.com/policy") AND severity="error" AND protoPayload.metadata.dryRun="true" -
View the logs under Query results.
gcloud
To view logs using gcloud CLI, run a command like the following:
gcloud
logging
read
'log_id("cloudaudit.googleapis.com/policy") AND severity="error" AND protoPayload.metadata.dryRun="true"'
