GCPcloud~5 mins

Organization policies in GCP - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Organization policies help control what users and projects can do in Google Cloud. They set rules to keep your cloud environment safe and organized.

When you want to prevent users from creating resources in certain regions to comply with data laws.

When you need to restrict the types of virtual machines that can be launched to control costs.

When you want to enforce encryption settings across all projects in your organization.

When you want to block the use of public IP addresses on virtual machines for security.

When you want to ensure all projects use a specific network configuration.

Config File - policy.yaml

policy.yaml

name: organizations/1234567890/policies/constraints/compute.vmExternalIpAccess
spec:
  rules:
  - denyAll: true
  etag: BwWWja0YfJA=
  version: 1

This file defines an organization policy that blocks all virtual machines from having external IP addresses.

name: identifies the policy and the constraint it applies to.

spec.rules.denyAll: means no VM can have an external IP.

etag: used to prevent conflicts when updating the policy.

version: policy schema version.

Commands

Check the current organization policy for blocking external IPs on VMs to see if it is set.

Terminal

gcloud org-policies describe compute.vmExternalIpAccess --organization=1234567890

Expected OutputExpected

name: organizations/1234567890/policies/constraints/compute.vmExternalIpAccess spec: rules: - denyAll: true etag: BwWWja0YfJA= version: 1

→

--organization - Specify the organization ID to target the policy.

Apply the organization policy defined in policy.yaml to block external IPs on all VMs in the organization.

Terminal

gcloud org-policies set-policy policy.yaml --organization=1234567890

Expected OutputExpected

Updated policy [organizations/1234567890/policies/constraints/compute.vmExternalIpAccess].

→

--organization - Specify the organization ID to apply the policy.

Verify that the organization policy to block external IPs is now active.

Terminal

gcloud org-policies describe compute.vmExternalIpAccess --organization=1234567890

Expected OutputExpected

name: organizations/1234567890/policies/constraints/compute.vmExternalIpAccess spec: rules: - denyAll: true etag: BwWWja0YfJA= version: 1

→

--organization - Specify the organization ID to check the policy.

Key Concept

If you remember nothing else from this pattern, remember: organization policies let you set rules that control what can or cannot be done across all projects in your Google Cloud organization.

Common Mistakes

Trying to set an organization policy without specifying the organization ID.

The command will fail because it doesn't know which organization to apply the policy to.

Always include the --organization flag with your organization ID when managing policies.

Editing the policy file but forgetting to update the etag value.

The policy update will be rejected to prevent conflicting changes.

Use the current etag from the existing policy or omit it to let the system handle it.

Not verifying the policy after applying it.

You might think the policy is active when it is not, leading to unexpected permissions.

Always describe the policy after setting it to confirm the changes took effect.

Summary

Use gcloud commands with the --organization flag to manage organization policies.

Create a YAML file defining the policy rules, including deny or allow settings.

Apply the policy with gcloud org-policies set-policy and verify with describe.