You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Organisation policies are guardrails that restrict what can and cannot be done across your GCP environment. While IAM controls who can do things, organisation policies control what can be done — regardless of IAM permissions.
| Aspect | IAM | Organisation Policies |
|---|---|---|
| Controls | Who has access | What is allowed |
| Mechanism | Roles and permissions | Constraints |
| Example | "Alice can create VMs" | "VMs can only be created in europe-west2" |
| Override | Cannot override with more permissions | Cannot be bypassed, even by owners |
Even a user with the roles/owner role cannot violate an organisation policy.
Organisation policies are applied at the organisation, folder, or project level and are inherited downward:
Organisation: Constraint — no public IP on VMs
├── Folder: Engineering
│ └── Project: eng-prod — inherits "no public IP"
│ (cannot override)
└── Folder: Sandbox
└── Project: sandbox-1 — can be EXEMPTED by the org admin
| Concept | Description |
|---|---|
| Constraint | A predefined rule provided by Google (e.g., restrict VM locations) |
| Policy | The configuration applied to a resource (how the constraint is enforced) |
| Inheritance | Child resources inherit parent policies by default |
| Override | A child can replace (not merge) the parent policy if allowed |
| Constraint | Purpose |
|---|---|
constraints/compute.vmExternalIpAccess | Restrict which VMs can have external IPs |
constraints/compute.restrictLoadBalancerCreationForTypes | Restrict load balancer types |
constraints/compute.trustedImageProjects | Allow VMs only from approved image projects |
constraints/compute.skipDefaultNetworkCreation | Prevent auto-creation of default VPC |
| Constraint | Purpose |
|---|---|
constraints/gcp.resourceLocations | Restrict which regions/zones resources can be created in |
| Constraint | Purpose |
|---|---|
constraints/iam.disableServiceAccountKeyCreation | Block creation of SA keys |
constraints/iam.disableServiceAccountCreation | Block creation of new SAs |
constraints/iam.allowedPolicyMemberDomains | Restrict IAM to specific domains |
| Constraint | Purpose |
|---|---|
constraints/storage.uniformBucketLevelAccess | Enforce uniform bucket-level access |
constraints/storage.publicAccessPrevention | Prevent public access to buckets |
# Allow resources only in Europe
gcloud resource-manager org-policies set-policy \
--organization=123456789 \
policy.yaml
# policy.yaml
constraint: constraints/gcp.resourceLocations
listPolicy:
allowedValues:
- in:europe-west2-locations
- in:europe-west1-locations
- in:europe-north1-locations
gcloud resource-manager org-policies enable-enforce \
constraints/iam.disableServiceAccountKeyCreation \
--organization=123456789
# Deny all VMs from having external IPs
gcloud resource-manager org-policies set-policy \
--organization=123456789 \
no-external-ip.yaml
# no-external-ip.yaml
constraint: constraints/compute.vmExternalIpAccess
listPolicy:
allValues: DENY
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.