Console
    Contact Us Start free

    Enforce Confidential VM use

    To make sure all VM instances created in your organization are Confidential VM instances, you can use an organization policy constraint .

    Required roles

    To get the permissions that you need to manage organization policies, ask your administrator to grant you the Organization Policy Administrator ( roles/orgpolicy.policyAdmin ) IAM role on the organization. For more information about granting roles, see Manage access to projects, folders, and organizations .

    This predefined role contains the permissions required to manage organization policies. To see the exact permissions that are required, expand the Required permissionssection:

    Required permissions

    The following permissions are required to manage organization policies:

    • orgpolicy.constraints.list
    • orgpolicy.policies.create
    • orgpolicy.policies.delete
    • orgpolicy.policies.list
    • orgpolicy.policies.update
    • orgpolicy.policy.get
    • orgpolicy.policy.set

    You might also be able to get these permissions with custom roles or other predefined roles .

    Enable the constraint

    To enable the constraint on VM instances, complete the following instructions:

    Console

    1. In the Google Cloud console, go to the Organization policiespage:

      Go to Organization policies

    2. Click the switcher box at the top of the page, and choose the organization to apply the constraint to. To apply the constraint to a project, select a project instead.

    3. In the filter box, enter restrict non-confidential computing , and then click the Restrict Non-Confidential Computingpolicy.

    4. On the Policy detailspage for Restrict Non-Confidential Computing, click Manage policy.

    5. In the Applies tosection, click Customize.

    6. In the Policy enforcementsection, choose one of the following options:

      • Merge with parent.Merge your new policy setting with that of a parent organization.

      • Replace.Replace the current policy setting and ignore that of the parent organization.

    7. In the Rulessection, click Add a rule.

    8. In the Policy valuesbox, select Custom, and set the Policy typeto Deny.

    9. In the Custom valuesbox, enter compute.googleapis.com as the API service name you want to enforce the policy on.

    10. Click Done.

    11. Click Set policy.

    gcloud

     gcloud  
resource-manager  
org-policies  
deny  
 \ 
  
constraints/compute.restrictNonConfidentialComputing  
compute.googleapis.com  
 \ 
  
--organization = 
 ORGANIZATION_ID

    Provide the following value:

    • ORGANIZATION_ID : The ID of the organization to add the constraint to.

      How to find a Google Cloud organization ID

      Console

      To find a Google Cloud organization ID, complete the following steps:

      1. Go to the Google Cloud console.

        Go to the Google Cloud console

      2. Click the switcher box in the menu bar.
      3. Click the Select from box, and then select your organization.
      4. Click the All tab. The organization ID is shown next to the organization name.

      gcloud CLI

      You can retrieve a Google Cloud organization ID with the following command:

      gcloud  
organizations  
describe  
 ORGANIZATION_NAME 
  
--format = 
 "value(name.segment(1))"

    To apply the constraint at the project level instead of the organization level, use --project= PROJECT_ID instead of --organization= ORGANIZATION_ID .

    Alternatively, you can set policies with a policy file using set-policy commands .

    Verify the constraint

    To verify the constraint:

    1. In the Google Cloud console, go to the VM instancespage.

      Go to VM instances

    2. Click the project selector at the top of the page, and choose a project to create a VM in.

    3. Click Create instance.

    4. In the Confidential VM servicesection, verify that your policy is enforced.

    Disable the constraint

    To disable the constraint, complete the following instructions:

    Console

    1. In the Google Cloud console, go to the Organization policiespage:

      Go to Organization policies

    2. Click the switcher box at the top of the page, and choose the organization to apply the constraint to. To apply the constraint to a project, select a project instead.

    3. In the filter box, enter restrict non-confidential computing , and then click the Restrict Non-Confidential Computingpolicy.

    4. On the Policy detailspage for Restrict Non-Confidential Computing, click Manage policy.

    5. Click the rule to expand it.

    6. In the Policy valuesbox, select Allow all, and then click Done.

    7. Click Set policy.

    gcloud

     gcloud  
resource-manager  
org-policies  
delete  
 \ 
  
constraints/compute.restrictNonConfidentialComputing  
 \ 
  
--organization = 
 ORGANIZATION_ID

    Provide the following value:

    • ORGANIZATION_ID : The ID of the organization to delete the constraint from.

      How to find a Google Cloud organization ID

      Console

      To find a Google Cloud organization ID, complete the following steps:

      1. Go to the Google Cloud console.

        Go to the Google Cloud console

      2. Click the switcher box in the menu bar.
      3. Click the Select from box, and then select your organization.
      4. Click the All tab. The organization ID is shown next to the organization name.

      gcloud CLI

      You can retrieve a Google Cloud organization ID with the following command:

      gcloud  
organizations  
describe  
 ORGANIZATION_NAME 
  
--format = 
 "value(name.segment(1))"

    To delete the constraint at the project level instead of the organization level, use --project= PROJECT_ID instead of --organization= ORGANIZATION_ID .

    Alternatively, you can set policies with a policy file using set-policy commands .

    What's next

    To learn more about the core concepts of organization policy:
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: