Use predefined organization policies

This page describes how to add predefined organization policies on AlloyDB for PostgreSQL clusters and backups, which lets you put restrictions on AlloyDB at the project, folder, or organization level.

Customer-managed encryption keys (CMEK) organization policy

You can use the CMEK organization policy to control the CMEK settings of your AlloyDB clusters and backups. This policy lets you control the Cloud KMS keys that you use to protect your data.

AlloyDB supports two organization policy constraints that help ensure CMEK protection across an organization:

  • constraints/gcp.restrictNonCmekServices: Requires CMEK protection for the alloydb.googleapis.com. When you add this constraint and add the alloydb.googleapis.com to the Deny policy list of services, AlloyDB refuses to create a new cluster or a backup unless they are enabled with CMEK.
  • constraints/gcp.restrictCmekCryptoKeyProjects: Limits which Cloud KMS CryptoKeys you can use for CMEK protection in AlloyDB clusters and backups. With this constraint, when AlloyDB creates a new cluster or a backup with CMEK, the CryptoKey must come from an allowed project, folder, or organization.

These constraints are only enforced on newly created AlloyDB clusters and backups.

For more overview information, see CMEK organization policies. For information about CMEK organization policy constraints, see Organization policy constraints.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Verify that billing is enabled for your Google Cloud project.

  4. Install the Google Cloud CLI.

  5. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  6. To initialize the gcloud CLI, run the following command: 

    gcloud init

  7. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  8. Verify that billing is enabled for your Google Cloud project.

  9. Install the Google Cloud CLI.

  10. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  11. To initialize the gcloud CLI, run the following command: 

    gcloud init
  12. Add the Organization Policy Administrator role (roles/orgpolicy.policyAdmin) to your user or service account from the IAM & Admin page.

    Go to the IAM accounts page

Add the CMEK organization policy

To add a CMEK organization policy, follow these steps:

  1. Go to the Organization policies page.

    Go to the Organization policies page

  2. Click the drop-down in the Google Cloud console menu bar, and then select the project, folder, or organization that requires the organization policy. The Organization policies page displays a list of available organization policy constraints.

  3. To set constraints/gcp.restrictNonCmekServices, follow these steps:

    1. Filter for the constraint using the ID: constraints/gcp.restrictNonCmekServices or the Name: Restrict which services may create resources without CMEK.
    2. Click the constraint Name.
    3. Click Edit.
    4. Click Customize.
    5. Click Add rule.
    6. Under Policy values, click Custom.
    7. Under Policy types, select Deny.
    8. Under Custom values, enter alloydb.googleapis.com. This ensures that CMEK is enforced while creating AlloyDB clusters and backups.

  4. To set constraints/gcp.restrictCmekCryptoKeyProjects, follow these steps:

    1. Filter for the constraint ID: constraints/gcp.restrictCmekCryptoKeyProjects or Name: Restrict which projects may supply KMS CryptoKeys for CMEK.
    2. Click the constraint Name.
    3. Click Edit.
    4. Click Customize.
    5. Click Add rule.
    6. Under Policy values, click Custom.
    7. Under Policy types, select Allow.

    8. Under Custom values, enter the resource using the following format: under:organizations/ORGANIZATION_ID, under:folders/FOLDER_ID, or projects/PROJECT_ID.

      This ensures that your AlloyDB clusters and backups use the Cloud KMS keys only from the allowed project, folder, or organization.

  5. Click Done and then click Save.

What's next