VPC Service Controls

To validate its attestation token, Confidential Space needs to download certificates from Cloud Storage buckets. If these buckets reside outside your perimeter, you must configure the following egress rule:

  - 
  
 egressTo 
 : 
  
 operations 
 : 
  
 - 
  
 serviceName 
 : 
  
 storage.googleapis.com 
  
 methodSelectors 
 : 
  
 - 
  
 method 
 : 
  
 google.storage.objects.get 
  
 resources 
 : 
  
 - 
  
 projects/870449385679 
  
 - 
  
 projects/180376494128 
  
 egressFrom 
 : 
  
 identityType 
 : 
  
 ANY_IDENTITY

The following table lists the projects containing the necessary certificates:

Project ID	Project number	Description
cloud-shielded-ca-prod	870449385679	Project containing attestation certificates
cloud-shielded-ca-prod-root	180376494128	Project containing root certificates

If the Compute Engine API is restricted by your service perimeter, you must create the following egress rule:

  - 
  
 egressTo 
 : 
  
 operations 
 : 
  
 - 
  
 serviceName 
 : 
  
 compute.googleapis.com 
  
 methodSelectors 
 : 
  
 - 
  
 method 
 : 
  
 InstancesService.Insert 
  
 resources 
 : 
  
 - 
  
 projects/30229352718 
  
 egressFrom 
 : 
  
 identityType 
 : 
  
 ANY_IDENTITY

The following table lists the project necessary to fetch Confidential Space VM images:

Project ID	Project number	Description
confidential-space-images	30229352718	Project containing Confidential Space VM images

VPC Service Controls Stay organized with collections Save and categorize content based on your preferences.

VPC Service Controls