Test an organization restrictions header before configuring an egress proxy

This page describes how Google Cloud administrators can test organization restrictions without having to configure an egress proxy.

To create and test the organization restrictions header, do the following:

To get the Google Cloud organization ID of the organization, use the gcloud organizations list command :
```
 gcloud organizations list 
```
The following is the example output:
```
DISPLAY_NAME: Organization A
    ID: 123456789
    DIRECTORY_CUSTOMER_ID: a1b2c3d4
```
After you get the organization ID, compose the JSON representation for the header value in the following format:
```
 {
 "resources": ["organizations/123456789"],
  "options": "strict"
 } 
```
Encode the value for the request header by following the RFC 4648 Section 5 specifications .

For example, if the JSON representation for the header value is stored in the authorized_orgs.json file, the following is the encoding through basenc :
```
 $ OR_HEADER=`cat authorized_orgs.json | basenc --base64url -w0`
 $ echo $OR_HEADER
ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiXQogIm9wdGlvbnMiOiAic3RyaWN0Igp9Cgo= 
```

To test whether header configuration allows access to a resource within an authorized Google Cloud organization, create a curl request to a resource within an authorized Google Cloud organization. Here is an example curl request:

 #  
Get  
auth  
token
$  
TOKEN=$(gcloud  
auth  
print-access-token)

#  
Make  
a  
request  
that  
includes  
the  
organization  
restriction  
header;  
this  
call  
makes  
a  
request  
to  
the  
logging  
API  
for  
a  
project  
within  
the  
same  
organization  
listed  
in  
the  
header
$  
curl  
-H  
"X-Goog-Allowed-Resources:  
 ${ 
 OR_HEADER 
 } 
"  
-X  
POST  
-d  
'{"projectIds":
["my-project-123"]}'  
-H  
'Content-Type:  
application/json'  
-H  
"Authorization:  
Bearer  
 ${ 
 TOKEN 
 } 
"  
"https://logging.googleapis.com/v2/entries:list"
#  
A  
successful  
request  
returns  
log  
entries  
in  
this  
project

To test whether header configuration denies access to a resource that is outside the authorized Google Cloud organization, create a curl request to a resource outside an authorized Google Cloud organization. Here is an example curl request:

 #  
Get  
auth  
token
$  
TOKEN=$(gcloud  
auth  
print-access-token)

#  
Make  
a  
request  
that  
includes  
the  
organization  
restriction  
header;  
this  
call  
makes  
a  
request  
to  
the  
logging  
API  
for  
a  
project  
not  
within  
the  
same  
organization  
listed  
in  
the  
header
$  
curl  
-H  
"X-Goog-Allowed-Resources:  
 ${ 
 OR_HEADER 
 } 
"  
-X  
POST  
-d  
'{"projectIds":  
["other-project-123"]}'  
-H  
'Content-Type:  
application/json'  
-H  
"Authorization:  
Bearer  
 ${ 
 TOKEN 
 } 
"  
"https://logging.googleapis.com/v2/entries:list"  
{  
"error":  
{  
"code":  
403,  
"message":  
"Access  
denied  
by  
organization  
restriction.  
Contact  
your  
administrator  
for  
additional  
information.",  
"status":  
"PERMISSION_DENIED",  
"details":  
[  
{  
"@type":  
"type.googleapis.com/google.rpc.ErrorInfo",  
"reason":  
"ORG_RESTRICTION_VIOLATION",  
"domain":  
"googleapis.com",  
"metadata":  
{  
"service":  
"logging.googleapis.com",  
"consumer":  
"other-project-123"  
}  
}  
]  
}
}

An access denied error message indicates that the request to the resource is denied.

What's next

Learn about using organization restrictions .
Learn about the services supported by organization restrictions .