Stay organized with collections
Save and categorize content based on your preferences.
This page describes how to add predefined organization policies on
AlloyDB for PostgreSQL clusters and backups, which lets you put restrictions on
AlloyDB at the project, folder, or organization level.
You can use the CMEK organization policy to control the CMEK settings of your
AlloyDB clusters and backups. This policy lets you control the
Cloud KMS keys that you use to protect
your data.
AlloyDB supports two organization policy constraints that help
ensure CMEK protection across an organization:
constraints/gcp.restrictNonCmekServices: Requires CMEK protection for the
alloydb.googleapis.com. When you add this constraint and add the
alloydb.googleapis.com to the Deny policy list of services,
AlloyDB refuses to create a new cluster or a backup unless they
are enabled with CMEK.
constraints/gcp.restrictCmekCryptoKeyProjects: Limits which
Cloud KMS CryptoKeys you can use for CMEK protection in
AlloyDB clusters and backups. With this constraint, when
AlloyDB creates a new cluster or a backup with CMEK, the
CryptoKey must come from an allowed project, folder, or organization.
These constraints are only enforced on newly created AlloyDB
clusters and backups.
Sign in to your Google Cloud account. If you're new to
Google Cloud,
create an account to evaluate how our products perform in
real-world scenarios. New customers also get $300 in free credits to
run, test, and deploy workloads.
In the Google Cloud console, on the project selector page,
select or create a Google Cloud project.
Click the drop-down in the Google Cloud console menu bar, and then select the project, folder,
or organization that requires the organization policy. The
Organization policies page displays a list of available organization policy
constraints.
To set constraints/gcp.restrictNonCmekServices, follow these steps:
Filter for the constraint using the
ID: constraints/gcp.restrictNonCmekServices
or the Name: Restrict which services may create resources without CMEK.
Click the constraint Name.
Click Edit.
Click Customize.
Click Add rule.
Under Policy values, click Custom.
Under Policy types, select Deny.
Under Custom values, enter alloydb.googleapis.com. This ensures that
CMEK is enforced while creating AlloyDB clusters and
backups.
To set constraints/gcp.restrictCmekCryptoKeyProjects, follow these steps:
Filter for the constraint ID: constraints/gcp.restrictCmekCryptoKeyProjects
or Name: Restrict which projects may supply KMS CryptoKeys for CMEK.
Click the constraint Name.
Click Edit.
Click Customize.
Click Add rule.
Under Policy values, click Custom.
Under Policy types, select Allow.
Under Custom values, enter the resource using the following format:
under:organizations/ORGANIZATION_ID,
under:folders/FOLDER_ID, or projects/PROJECT_ID.
This ensures that your AlloyDB clusters and backups use the
Cloud KMS keys only from the allowed project, folder, or
organization.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eThis page details how to implement organization policies for AlloyDB for PostgreSQL clusters and backups to enforce restrictions at the project, folder, or organization level.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003econstraints/gcp.restrictNonCmekServices\u003c/code\u003e organization policy constraint mandates CMEK protection for AlloyDB, preventing the creation of new clusters or backups without it by adding the \u003ccode\u003ealloydb.googleapis.com\u003c/code\u003e service to the \u003ccode\u003eDeny\u003c/code\u003e list.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003econstraints/gcp.restrictCmekCryptoKeyProjects\u003c/code\u003e constraint limits the Cloud KMS CryptoKeys that can be used for CMEK in AlloyDB, ensuring that new clusters or backups with CMEK only use keys from specified projects, folders, or organizations.\u003c/p\u003e\n"],["\u003cp\u003eImplementing these CMEK organization policy constraints ensures that all newly created AlloyDB clusters and backups are encrypted using customer-managed keys from the allowed sources.\u003c/p\u003e\n"]]],[],null,["# Use predefined organization policies\n\nThis page describes how to add predefined organization policies on\nAlloyDB for PostgreSQL clusters and backups, which lets you put restrictions on\nAlloyDB at the project, folder, or organization level.\n\nCustomer-managed encryption keys (CMEK) organization policy\n-----------------------------------------------------------\n\nYou can use the CMEK organization policy to control the CMEK settings of your\nAlloyDB clusters and backups. This policy lets you control the\n[Cloud KMS keys](/kms/docs/resource-hierarchy) that you use to protect\nyour data.\n\nAlloyDB supports two organization policy constraints that help\nensure CMEK protection across an organization:\n\n- `constraints/gcp.restrictNonCmekServices`: Requires CMEK protection for the `alloydb.googleapis.com`. When you add this constraint and add the `alloydb.googleapis.com` to the `Deny` policy list of services, AlloyDB refuses to create a new cluster or a backup unless they are enabled with CMEK.\n- `constraints/gcp.restrictCmekCryptoKeyProjects`: Limits which Cloud KMS CryptoKeys you can use for CMEK protection in AlloyDB clusters and backups. With this constraint, when AlloyDB creates a new cluster or a backup with CMEK, the CryptoKey must come from an allowed project, folder, or organization.\n\nThese constraints are only enforced on newly created AlloyDB\nclusters and backups.\n\nFor more overview information, see\n[CMEK organization policies](/kms/docs/cmek-org-policy).\nFor information about CMEK organization policy constraints, see\n[Organization policy constraints](/resource-manager/docs/organization-policy/org-policy-constraints).\n\nBefore you begin\n----------------\n\n- Sign in to your Google Cloud account. If you're new to Google Cloud, [create an account](https://console.cloud.google.com/freetrial) to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n- If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n-\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n- If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n-\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n\n1. Add the **Organization Policy Administrator** role ([`roles/orgpolicy.policyAdmin`](/iam/docs/understanding-roles#organization-policy-roles)) to your user or service account from the **IAM \\& Admin** page.\n\n\n [Go to the IAM accounts page](https://console.cloud.google.com/iam-admin/iam)\n\n\u003cbr /\u003e\n\nAdd the CMEK organization policy\n--------------------------------\n\nTo add a CMEK organization policy, follow these steps:\n\n1. Go to the **Organization policies** page.\n\n [Go to the Organization policies page](https://console.cloud.google.com/iam-admin/orgpolicies)\n2. Click the drop-down in the Google Cloud console menu bar, and then select the project, folder,\n or organization that requires the organization policy. The\n **Organization policies** page displays a list of available organization policy\n constraints.\n\n3. To set `constraints/gcp.restrictNonCmekServices`, follow these steps:\n\n 1. Filter for the constraint using the `ID`: `constraints/gcp.restrictNonCmekServices` or the `Name`: `Restrict which services may create resources without CMEK`.\n 2. Click the constraint **Name**.\n 3. Click **Edit**.\n 4. Click **Customize**.\n 5. Click **Add rule**.\n 6. Under **Policy values** , click **Custom**.\n 7. Under **Policy types** , select **Deny**.\n 8. Under **Custom values** , enter `alloydb.googleapis.com`. This ensures that CMEK is enforced while creating AlloyDB clusters and backups.\n4. To set `constraints/gcp.restrictCmekCryptoKeyProjects`, follow these steps:\n\n 1. Filter for the constraint `ID`: `constraints/gcp.restrictCmekCryptoKeyProjects` or `Name`: `Restrict which projects may supply KMS CryptoKeys for CMEK`.\n 2. Click the constraint **Name**.\n 3. Click **Edit**.\n 4. Click **Customize**.\n 5. Click **Add rule**.\n 6. Under **Policy values** , click **Custom**.\n 7. Under **Policy types** , select **Allow**.\n 8. Under **Custom values** , enter the resource using the following format:\n `under:organizations/ORGANIZATION_ID`,\n `under:folders/FOLDER_ID`, or `projects/PROJECT_ID`.\n\n This ensures that your AlloyDB clusters and backups use the\n Cloud KMS keys only from the allowed project, folder, or\n organization.\n5. Click **Done** and then click **Save**.\n\nWhat's next\n-----------\n\n- Learn more about [customer-managed encryption keys (CMEK) for AlloyDB for PostgreSQL](/alloydb/docs/cmek).\n- See [Introduction to the Organization Policy Service](/resource-manager/docs/organization-policy/overview) to learn more about organization policies.\n- Learn more about how to [create and manage organization policies](/resource-manager/docs/organization-policy/using-constraints).\n- See the full list of predefined [Organization policy constraints](/resource-manager/docs/organization-policy/org-policy-constraints).\n- [Connect using a public IP](/alloydb/docs/connect-public-ip).\n- [Create a primary instance](/alloydb/docs/instance-primary-create)."]]
