[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-08-18。"],[[["\u003cp\u003eConfidential Space requires downloading certificates from Cloud Storage buckets, necessitating an egress rule for \u003ccode\u003estorage.googleapis.com\u003c/code\u003e with \u003ccode\u003egoogle.storage.objects.get\u003c/code\u003e method access to projects \u003ccode\u003e870449385679\u003c/code\u003e and \u003ccode\u003e180376494128\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003ecloud-shielded-ca-prod\u003c/code\u003e (project \u003ccode\u003e870449385679\u003c/code\u003e) project contains attestation certificates, while \u003ccode\u003ecloud-shielded-ca-prod-root\u003c/code\u003e (project \u003ccode\u003e180376494128\u003c/code\u003e) contains root certificates.\u003c/p\u003e\n"],["\u003cp\u003eIf the Compute Engine API is within a restricted perimeter, an egress rule must be created for \u003ccode\u003ecompute.googleapis.com\u003c/code\u003e, specifically allowing the \u003ccode\u003eInstancesService.Insert\u003c/code\u003e method to project \u003ccode\u003e30229352718\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eThe project \u003ccode\u003econfidential-space-images\u003c/code\u003e (project \u003ccode\u003e30229352718\u003c/code\u003e) houses the Confidential Space VM images.\u003c/p\u003e\n"]]],[],null,["# VPC Service Controls\n\n*** ** * ** ***\n\nTo validate its attestation token, Confidential Space needs to download certificates from Cloud Storage buckets. If these buckets reside outside your perimeter, you must configure the following egress rule:\n\n\u003cbr /\u003e\n\n - egressTo:\n operations:\n - serviceName: storage.googleapis.com\n methodSelectors:\n - method: google.storage.objects.get\n resources:\n - projects/870449385679\n - projects/180376494128\n egressFrom:\n identityType: ANY_IDENTITY\n\nThe following table lists the projects containing the necessary certificates:\n\nIf the Compute Engine API is restricted by your service perimeter, you must\ncreate the following egress rule: \n\n - egressTo:\n operations:\n - serviceName: compute.googleapis.com\n methodSelectors:\n - method: InstancesService.Insert\n resources:\n - projects/30229352718\n egressFrom:\n identityType: ANY_IDENTITY\n\nThe following table lists the project necessary to fetch Confidential Space VM\nimages:"]]
