Yes, after you have shared images and snapshots with other users, you can control where those users employ those resources.
Set the constraints/compute.storageResourceUseRestrictions constraint to define the projects where users are permitted to use your storage resources.
You must have permission to modify your organization's policies to set these constraints. For example, theresourcemanager.organizationAdmin role has permission to set these constraints.
-
Find the organization ID for your organization.
gcloud organizations list
-
Get the existing policy settings for your organization.
gcloud beta resource-manager org-policies describe \
compute.storageResourceUseRestrictions \
--organization [ORGANIZATION_ID] > org-policy.yaml
where [ORGANIZATION_ID] is your organization ID.
-
Open the org-policy.yaml file in a text editor and modify the compute.storageResourceUseRestrictions constraint. Add the restrictions that you need or remove the restrictions that you no longer require. When you have finished editing the file, save your changes. For example, you might set the following constraint entry in your policy file:
constraint: compute.storageResourceUseRestrictions
listPolicy:
allowedValues:
- under:organization/[ORGANIZATION_ID]
-
Apply the policy.yaml file to your organization.
gcloud beta resource-manager org-policies set-policy
--organization [ORGANIZATION_ID] org-policy.yaml
where [ORGANIZATION_ID] is your organization ID.
When you have finished configuring the constraints in your organization policy, test those constraints to ensure that they create the restrictions that you need.
