To test whether header configuration allows access to a resource within an authorized
Google Cloud organization, create a curl request to a resource within an authorized
Google Cloud organization.
Here is an example curl request:
To test whether header configuration denies access to a resource that is outside the authorized
Google Cloud organization, create a curl request to a resource outside an authorized
Google Cloud organization.
Here is an example curl request:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Test an organization restrictions header before configuring an egress proxy\n\nThis page describes how Google Cloud administrators can test organization restrictions\nwithout having to configure an egress proxy.\n\nTo create and test the organization restrictions header, do the following:\n\n1. To get the Google Cloud organization ID of the organization, use the [`gcloud organizations list` command](/sdk/gcloud/reference/organizations/list):\n\n gcloud organizations list\n\n The following is the example output: \n\n ```\n DISPLAY_NAME: Organization A\n ID: 123456789\n DIRECTORY_CUSTOMER_ID: a1b2c3d4\n ```\n2. After you get the organization ID, compose the JSON representation for the header\n value in the following format:\n\n {\n \"resources\": [\"organizations/123456789\"],\n \"options\": \"strict\"\n }\n\n3. Encode the value for the request header by following the [RFC 4648 Section 5 specifications](https://datatracker.ietf.org/doc/html/rfc4648#section-5).\n\n For example, if the JSON representation for the header value is stored in the\n `authorized_orgs.json` file, the following is the encoding through [basenc](https://man7.org/linux/man-pages/man1/basenc.1.html): \n\n $ OR_HEADER=`cat authorized_orgs.json | basenc --base64url -w0`\n $ echo $OR_HEADER\n ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiXQogIm9wdGlvbnMiOiAic3RyaWN0Igp9Cgo=\n\n4. To test whether header configuration allows access to a resource within an authorized\n Google Cloud organization, create a curl request to a resource within an authorized\n Google Cloud organization.\n Here is an example curl request:\n\n # Get auth token\n $ TOKEN=$(gcloud auth print-access-token)\n\n # Make a request that includes the organization restriction header; this call makes a request to the logging API for a project within the same organization listed in the header\n $ curl -H \"X-Goog-Allowed-Resources: ${OR_HEADER}\" -X POST -d '{\"projectIds\":\n [\"my-project-123\"]}' -H 'Content-Type: application/json' -H \"Authorization: Bearer ${TOKEN}\" \"https://logging.googleapis.com/v2/entries:list\"\n # A successful request returns log entries in this project\n\n5. To test whether header configuration denies access to a resource that is outside the authorized\n Google Cloud organization, create a curl request to a resource outside an authorized\n Google Cloud organization.\n Here is an example curl request:\n\n # Get auth token\n $ TOKEN=$(gcloud auth print-access-token)\n\n # Make a request that includes the organization restriction header; this call makes a request to the logging API for a project not within the same organization listed in the header\n $ curl -H \"X-Goog-Allowed-Resources: ${OR_HEADER}\" -X POST -d '{\"projectIds\": [\"other-project-123\"]}' -H 'Content-Type: application/json' -H \"Authorization: Bearer ${TOKEN}\" \"https://logging.googleapis.com/v2/entries:list\" \n {\n \"error\": {\n \"code\": 403,\n \"message\": \"Access denied by organization restriction. Contact your administrator for additional information.\",\n \"status\": \"PERMISSION_DENIED\",\n \"details\": [\n {\n \"@type\": \"type.googleapis.com/google.rpc.ErrorInfo\",\n \"reason\": \"ORG_RESTRICTION_VIOLATION\",\n \"domain\": \"googleapis.com\",\n \"metadata\": {\n \"service\": \"logging.googleapis.com\",\n \"consumer\": \"other-project-123\"\n }\n }\n ]\n }\n }\n\n An access denied error message indicates that the request to the resource is denied.\n\nWhat's next\n-----------\n\n- Learn about [using organization restrictions](/resource-manager/docs/organization-restrictions/examples-org-restrictions).\n- Learn about the [services supported by organization restrictions](/resource-manager/docs/organization-restrictions/supported-services)."]]
