VPC Service Controls


Confidential Space requires read access to Cloud Storage buckets to download the certificates that are used to validate its attestation token. If these Cloud Storage buckets are located outside your perimeter, you must create the following egress rule:

- egressTo:
      operations:
      - serviceName: storage.googleapis.com
        methodSelectors:
        - method: google.storage.objects.get
      resources:
      - projects/870449385679
      - projects/180376494128
    egressFrom:
      identityType: ANY_IDENTITY