Stay organized with collectionsSave and categorize content based on your preferences.
Manage function resources using custom constraints
This page provides supplemental information for setting custom constraints on
functions created using theCloud Functions v2 API, such as
through thegcloud functionscommands.
Limitations
The following limitations apply to using custom organization policies forCloud Functions v2 APIfunctions:
They won't be applied to Cloud Run functions (1st gen).
Only protects functions when using the Cloud Functions v2 API.
Cloud Run functions can also be modified from the Cloud Run API as
well. For additional protection, you might need to alsoapply custom constraints on Cloud Runas well.
Common organization policy examples
The following table provides the syntax of some custom organization policies
that you might find useful:
Description
Constraint syntax
Prevent functions from being created with a specific language
name:organizations/ORGANIZATION_ID/customConstraints/custom.cloudFunctionRuntimeBlockresource_types:cloudfunctions.googleapis.com/Functionmethod_types:-CREATE-UPDATEcondition:resource.buildConfig.runtime == "python312"action_type:DENYdisplay_name:Deny functions using Python 3.12description:Functions cannot be created with Python 3.12 as the language runtime
Require functions to use a specific worker pool
name:organizations/ORGANIZATION_ID/customConstraints/custom.cloudFunctionsWorkerPoolresource_types:cloudfunctions.googleapis.com/Functionmethod_types:-CREATE-UPDATEcondition:resource.buildConfig.workerPool == "WORKER_POOL"action_type:DENYdisplay_name:Require worker pooldescription:Functions must use a worker pool
ReplaceWORKER_POOLwith the name of your Cloud Build worker pool.
Require that functions store all container images in a specific image repository
name:organizations/ORGANIZATION_ID/customConstraints/custom.cloudFunctionsRepositoryresource_types:cloudfunctions.googleapis.com/Functionmethod_types:-CREATE-UPDATEcondition:resource.buildConfig.dockerRepository.startsWith("REPO_PATH")action_type:DENYdisplay_name:Image repository constraintdescription:Functions must push images to a central image repository underREPO_PATH
ReplaceREPO_PATHwith the URI of the image repository URL
that you want all functions to store their container images in.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eOrganization administrators can create custom constraints for Cloud Run functions using Organization Policy, allowing for granular control over specific fields at the project, folder, or organization level.\u003c/p\u003e\n"],["\u003cp\u003eCustom constraints offer benefits like cost management, enforcing security requirements, and governing automation scripts by restricting VM instance types, requiring specific firewall rules, or verifying label expressions.\u003c/p\u003e\n"],["\u003cp\u003eCustom constraints are defined in YAML files specifying resources, methods, conditions (using Common Expression Language), and actions, and they can be enforced at the project level using the \u003ccode\u003egcloud\u003c/code\u003e command-line tool or the Google Cloud console.\u003c/p\u003e\n"],["\u003cp\u003eCustom constraints are only enforced on Cloud Functions v2 APIs, not Cloud Run functions (1st gen), and are only applied to the \u003ccode\u003eCREATE\u003c/code\u003e method for Compute Engine resources.\u003c/p\u003e\n"],["\u003cp\u003eCustom organization policies can be set to deny the creation of functions with a specific language, require functions to use a specific worker pool, and require functions to store container images in a specific image repository.\u003c/p\u003e\n"]]],[],null,["# Manage function resources using custom constraints\n==================================================\n\nThis page provides supplemental information for setting custom constraints on\nfunctions created using\n[`gcloud functions`](/sdk/gcloud/reference/functions) commands or the\n[Cloud Functions v2 API](/functions/docs/reference/rest).\n\nIf you've created or deployed functions using Cloud Run, see\nCloud Run's\n[Manage custom constraints for projects](/run/docs/securing/custom-constraints)\nguide for a detailed description of how to use custom constraints.\n\nLimitations\n-----------\n\nThe following limitations apply to using custom organization policies for\n[Cloud Functions v2 API](/functions/docs/reference/rest) functions:\n\n- Not enforced for VM instance names when you use the [bulk insert API](/compute/docs/instances/multiple/about-bulk-creation).\n- Only enforced on the `CREATE` method for Compute Engine resources.\n- Only available on [Cloud Functions\n v2 API](/functions/docs/reference/rest). They can't be applied on Cloud Run functions (1st gen).\n- Only protects functions when using the Cloud Functions v2 API. Cloud Run functions can also be modified from the Cloud Run API as well. For additional protection, you might need to also [apply custom constraints on Cloud Run](/run/docs/securing/custom-constraints) as well.\n\nCommon organization policy examples\n-----------------------------------\n\nThe following table provides the syntax of some custom organization policies\nthat you might find useful:\n\nWhat's next\n-----------\n\n- See [Introduction to the Organization Policy Service](/resource-manager/docs/organization-policy/overview) to learn more about organization policies.\n- Learn more about how to [create and manage organization policies](/resource-manager/docs/organization-policy/using-constraints).\n- See the full list of predefined [organization policy constraints](/resource-manager/docs/organization-policy/org-policy-constraints)."]]
