Confidential Space requires read access to Cloud Storage buckets to download the certificates that are used to validate its attestation token. If these Cloud Storage buckets are located outside your perimeter, you must create the following egress rule:
- egressTo:
operations:
- serviceName: storage.googleapis.com
methodSelectors:
- method: google.storage.objects.get
resources:
- projects/870449385679
- projects/180376494128
egressFrom:
identityType: ANY_IDENTITY