How to Use Organization Policy in GCP: Simple Guide
Use
Organization Policy in GCP to set rules that control resource behavior across your organization. You create policies by specifying constraints and applying them to your organization, folders, or projects using the gcloud CLI or Cloud Console.Syntax
An Organization Policy in GCP consists of a constraint and a policy that defines allowed or denied values. You apply it to an organization, folder, or project.
Key parts:
constraint: The rule you want to enforce (e.g., restrict VM regions).policy: Defines allowed or denied values for the constraint.resource: The organization, folder, or project where the policy applies.
bash
gcloud org-policies set-policy POLICY_FILE.yaml --organization=ORGANIZATION_ID # POLICY_FILE.yaml example structure: # constraint: constraints/compute.allowedRegions # listPolicy: # allowedValues: # - in:us-central1 # - in:us-east1
Example
This example shows how to restrict Compute Engine VM instances to only run in the us-central1 and us-east1 regions for an organization.
bash
cat > policy.yaml <<EOF constraint: constraints/compute.allowedRegions listPolicy: allowedValues: - in:us-central1 - in:us-east1 EOF gcloud org-policies set-policy policy.yaml --organization=1234567890 gcloud org-policies describe constraints/compute.allowedRegions --organization=1234567890
Output
constraint: constraints/compute.allowedRegions
listPolicy:
allowedValues:
- in:us-central1
- in:us-east1
Common Pitfalls
Common mistakes when using Organization Policy:
- Applying policies at the wrong resource level (e.g., project instead of organization).
- Not understanding inheritance: policies set at higher levels apply to lower levels unless overridden.
- Using incorrect constraint names or invalid values in the policy file.
- Forgetting to enable the Organization Policy API.
Always validate your policy YAML syntax and test on a small scope before applying broadly.
bash
## Wrong: Using invalid constraint name cat > bad_policy.yaml <<EOF constraint: constraints/compute.invalidConstraint listPolicy: allowedValues: - in:us-central1 EOF gcloud org-policies set-policy bad_policy.yaml --organization=1234567890 # This will fail with an error about invalid constraint. ## Right: Use correct constraint name cat > good_policy.yaml <<EOF constraint: constraints/compute.allowedRegions listPolicy: allowedValues: - in:us-central1 EOF gcloud org-policies set-policy good_policy.yaml --organization=1234567890
Quick Reference
| Command | Description |
|---|---|
| gcloud org-policies set-policy POLICY.yaml --organization=ID | Apply an organization policy from a YAML file |
| gcloud org-policies describe CONSTRAINT --organization=ID | View current policy for a constraint |
| gcloud org-policies list --organization=ID | List all policies applied to the organization |
| gcloud org-policies clear CONSTRAINT --organization=ID | Remove a policy for a constraint |
Key Takeaways
Organization Policy lets you enforce rules across your GCP organization, folders, or projects.
Policies use constraints to define allowed or denied values for resources.
Apply policies using YAML files and the gcloud CLI with the correct organization ID.
Policies inherit from higher levels unless overridden at lower levels.
Always validate policy syntax and test changes on small scopes before wide application.