Stay organized with collections Save and categorize content based on your preferences.
Restrict resource usage for workloadsThis page explains how to enable or disable restrictions for non-compliant resources in Assured Workloads folders. By default, each folder's control package determines which products are supported, thus determining which resources can be used. This functionality is enforced by the gcp.restrictServiceUsage organization policy constraint that is automatically applied on the folder when it is created.
To modify resource usage restrictions, the caller must be granted Identity and Access Management (IAM) permissions using either a predefined role that includes a wider set of permissions, or a custom role that is restricted to the minimum necessary permissions.
The following permissions are required on the target workload:
assuredworkloads.workload.updateorgpolicy.policy.setThese permissions are included in the following two roles:
roles/assuredworkloads.admin)roles/assuredworkloads.editor)See IAM roles for more information about roles for Assured Workloads.
Enable resource usage restrictionsTo enable resource usage restriction for a workload, run the following command. This command applies restrictions on the Assured Workloads folder in accordance with the control package's supported services:
curl -d '{ "restrictionType": "ALLOW_COMPLIANT_RESOURCES" }' \
-H "Content-Type: application/json" \
-H "Authorization: Bearer TOKEN" -X POST \
"SERVICE_ENDPOINT/v1/organizations/ORGANIZATION_ID/locations/WORKLOAD_LOCATION/workloads/WORKLOAD_ID:restrictAllowedServices"
Replace the following placeholder values with your own:
TOKEN: The authentication token for the request, for example: ya29.a0AfB_byDnQW7A2Vr5...tanw0427
If you have the Google Cloud SDK installed in your environment and are authenticated, you can use the gcloud auth print-access-token command: -H "Authorization: Bearer $(gcloud auth print-access-token)" -X POST \
SERVICE_ENDPOINT: The desired service endpoint, for example: https://us-central1-assuredworkloads.googleapis.com
ORGANIZATION_ID: The unique identifier of the Google Cloud organization, for example: 12321311
WORKLOAD_LOCATION: The location of the workload, for example: us-central1
WORKLOAD_ID: The unique identifier of the workload, for example: 00-c25febb1-f3c1-4f19-8965-a25
After you replace the placeholder values, your request should look similar to the following example:
curl -d '{ "restrictionType": "ALLOW_COMPLIANT_RESOURCES" }' \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ya29.a0AfB_byDnQW7A2Vr5...tanw0427" -X POST \
"https://us-central1-assuredworkloads.googleapis.com/v1/organizations/12321311/locations/us-central1/workloads/00-c25febb1-f3c1-4f19-8965-a25:restrictAllowedServices"
If successful, the response will be empty.
Disable resource usage restrictionTo disable resource usage restriction for a workload, run the following command. This command effectively removes all service and resource restrictions on the Assured Workloads folder:
curl -d '{ "restrictionType": "ALLOW_ALL_GCP_RESOURCES" }' \
-H "Content-Type: application/json" \
-H "Authorization: Bearer TOKEN" -X POST \
"SERVICE_ENDPOINT/v1/organizations/ORGANIZATION_ID/locations/WORKLOAD_LOCATION/workloads/WORKLOAD_ID:restrictAllowedServices"
Replace the following placeholder values with your own:
TOKEN: The authentication token for the request, for example: ya29.a0AfB_byDnQW7A2Vr5...tanw0427
If you have the Google Cloud SDK installed in your environment and are authenticated, you can use the gcloud auth print-access-token command: -H "Authorization: Bearer $(gcloud auth print-access-token)" -X POST \
SERVICE_ENDPOINT: The desired service endpoint, for example: https://us-central1-assuredworkloads.googleapis.com
ORGANIZATION_ID: The unique identifier of the Google Cloud organization, for example: 12321311
WORKLOAD_LOCATION: The location of the workload, for example: us-central1
WORKLOAD_ID: The unique identifier of the workload, for example: 00-c25febb1-f3c1-4f19-8965-a25
After you replace the placeholder values, your request should look similar to the following example:
curl -d '{ "restrictionType": "ALLOW_ALL_GCP_RESOURCES" }' \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ya29.a0AfB_byDnQW7A2Vr5...tanw0427" -X POST \
"https://us-central1-assuredworkloads.googleapis.com/v1/organizations/12321311/locations/us-central1/workloads/00-c25febb1-f3c1-4f19-8965-a25:restrictAllowedServices"
If successful, the response will be empty.
Supported and unsupported productsThe tables in this section include supported and unsupported products for various control packages. If you enable the default resource usage restrictions, then only the supported products can be used. If you disable resource usage restrictions, then both supported and unsupported products can be used.
Data Boundary for FedRAMP Moderate Endpoint Supported products Unsupported productsaiplatform.googleapis.com Vertex AI AI Platform Training and Prediction API Data Boundary for FedRAMP High Endpoint Supported products Unsupported products compute.googleapis.com Compute Engine Persistent Disk AI Platform Training and Prediction API Cloud CDN Virtual Private Cloud Cloud Interconnect Cloud Load Balancing Cloud NAT Cloud Router Cloud VPN Google Cloud Armor Network Service Tiers Data Boundary for Criminal Justice Information Services (CJIS) Endpoint Supported products Unsupported products accesscontextmanager.googleapis.com VPC Service Controls Access Context Manager compute.googleapis.com Virtual Private Cloud Persistent Disk Compute Engine Cloud CDN Cloud Interconnect Cloud Load Balancing Cloud NAT Cloud Router Cloud VPN Google Cloud Armor Network Service Tiers cloudkms.googleapis.com Cloud Key Management Service Cloud HSM Data Boundary for Impact Level 4 (IL4) Endpoint Supported products Unsupported products compute.googleapis.com Compute Engine Persistent Disk AI Platform Training and Prediction API Cloud CDN Virtual Private Cloud Cloud Interconnect Cloud Load Balancing Cloud NAT Cloud Router Cloud VPN Google Cloud Armor Network Service Tiers cloudkms.googleapis.com Cloud Key Management Service Cloud HSM US Data Boundary and Support Endpoint Supported products Unsupported products accesscontextmanager.googleapis.com VPC Service Controls Access Context Manager compute.googleapis.com Virtual Private Cloud Persistent Disk Compute Engine Cloud CDN Cloud Interconnect Cloud Load Balancing Cloud NAT Cloud Router Cloud VPN Google Cloud Armor Network Service Tiers cloudkms.googleapis.com Cloud Key Management Service Cloud HSM Service endpoints
This section lists the API endpoints that aren't blocked after you enable resource usage restriction.
API name Endpoint URL Cloud Asset APIcloudasset.googleapis.com Cloud Logging API logging.googleapis.com Service Control servicecontrol.googleapis.com Cloud Monitoring API monitoring.googleapis.com Google Cloud Observability stackdriver.googleapis.com Security Token Service API sts.googleapis.com Identity and Access Management API iam.googleapis.com Cloud Resource Manager API cloudresourcemanager.googleapis.com Advisory Notifications API advisorynotifications.googleapis.com IAM Service Account Credentials API iamcredentials.googleapis.com Organization Policy Service API orgpolicy.googleapis.com Policy Troubleshooter API policytroubleshooter.googleapis.com Network Telemetry API networktelemetry.googleapis.com Service Usage API serviceusage.googleapis.com Service Networking API servicenetworking.googleapis.com Cloud Billing API cloudbilling.googleapis.com Service Management API servicemanagement.googleapis.com Identity Toolkit API identitytoolkit.googleapis.com Access Context Manager API accesscontextmanager.googleapis.com Service Consumer Management API serviceconsumermanagement.googleapis.com What's next
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-07-09 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-07-09 UTC."],[[["This document explains how to enable or disable resource usage restrictions for non-compliant resources in Assured Workloads folders, which is enforced by the `gcp.restrictServiceUsage` organization policy constraint."],["To modify resource usage restrictions, users need specific IAM permissions, such as `assuredworkloads.workload.update` and `orgpolicy.policy.set`, typically granted through the \"Assured Workloads Administrator\" or \"Assured Workloads Editor\" roles."],["Resource usage restrictions can be enabled to allow only compliant resources based on the control package's supported services or disabled to allow all GCP resources, using specific curl commands and replacing placeholder values with the user's unique token, service endpoint, organization ID, workload location, and workload ID."],["Different control packages (FedRAMP Moderate, FedRAMP High, CJIS, IL4, US Regions) have different supported and unsupported products, which are detailed in tables within this document."],["Certain API endpoints remain accessible even when resource usage restrictions are enabled, including Cloud Asset API, Cloud Logging API, Service Control, Cloud Monitoring API, and others as listed."]]],[]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4