Console
    Contact Us Start free

    VPC Service Controls

    To validate its attestation token, Confidential Space needs to download certificates from Cloud Storage buckets. If these buckets reside outside your perimeter, you must configure the following egress rule: 
      - 
  
 egressTo 
 : 
  
 operations 
 : 
  
 - 
  
 serviceName 
 : 
  
 storage.googleapis.com 
  
 methodSelectors 
 : 
  
 - 
  
 method 
 : 
  
 google.storage.objects.get 
  
 resources 
 : 
  
 - 
  
 projects/870449385679 
  
 - 
  
 projects/180376494128 
  
 egressFrom 
 : 
  
 identityType 
 : 
  
 ANY_IDENTITY

    The following table lists the projects containing the necessary certificates:

    Project ID Project number Description
    cloud-shielded-ca-prod
    		 870449385679 Project containing attestation certificates
    cloud-shielded-ca-prod-root
    		 180376494128 Project containing root certificates

    If the Compute Engine API is restricted by your service perimeter, you must create the following egress rule:

      - 
  
 egressTo 
 : 
  
 operations 
 : 
  
 - 
  
 serviceName 
 : 
  
 compute.googleapis.com 
  
 methodSelectors 
 : 
  
 - 
  
 method 
 : 
  
 InstancesService.Insert 
  
 resources 
 : 
  
 - 
  
 projects/30229352718 
  
 egressFrom 
 : 
  
 identityType 
 : 
  
 ANY_IDENTITY

    The following table lists the project necessary to fetch Confidential Space VM images:

    Project ID Project number Description
    confidential-space-images
    		 30229352718 Project containing Confidential Space VM images
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: