If you enable Assured Open Source Software (Assured OSS) within a VPC Service Controls service perimeter, you must configure egress rules.
This document applies to the premium tier of Assured Open Source Software only.
For more information, see Configuring egress policies.
Before you begin
Make sure that you have the required roles to configure VPC Service Controls at the organization level.
Make sure that you know the following information:
- The service account that you used to set up Assured OSS.
- The Artifact Registry service agent that was created automatically when you set up Assured OSS.
- The user account that set up Assured OSS.
Configure the egress rule when downloading binaries from Assured OSS repositories
Complete this task for your Artifact Registry repositories.
Configure the following egress rule:
- egressFrom:
identities:
- serviceAccount: ASSURED_OSS_EMAIL_ADDRESS
- serviceAccount: ARTIFACT_REPOSITORY_EMAIL_ADDRESS
- serviceAccount: OTHER_SERVICE_ACCOUNT_EMAIL_ADDRESS
- USER_GROUP
egressTo:
operations:
- methodSelectors:
- method: artifactregistry.googleapis.com/MavenRead
- method: artifactregistry.googleapis.com/NPMRead
- method: artifactregistry.googleapis.com/PythonRead
serviceName: artifactregistry.googleapis.com
resources:
- projects/855934472549
- projects/107114433875
Replace the following:
ASSURED_OSS_EMAIL_ADDRESS: the email address of the service account that you specified when you set up Assured OSS.
ARTIFACT_REGISTRY_EMAIL_ADDRESS: the email address of the Artifact Registry service agent.
OTHER_SERVICE_ACCOUNT_EMAIL_ADDRESS: the email addresses of other service accounts that require access to the open source packages.
USER_GROUP: the groups that require access to the open source packages. For example,
group:my-group@example.comoruser:alex@example.com.
Configure the egress rule when accessing security metadata from the Assured OSS bucket
Complete this task for the user account and service account that you used to set up Assured OSS.
Configure the following egress rule:
- egressFrom:
identities:
- serviceAccount: ASSURED_OSS_EMAIL_ADDRESS
- user: ASSURED_OSS_USER_EMAIL_ADDRESS
egressTo:
operations:
- methodSelectors:
- method: google.storage.objects.get
- method: google.storage.objects.list
serviceName: storage.googleapis.com
resources:
- projects/107114433875
Replace the following:
ASSURED_OSS_EMAIL_ADDRESS: the email address of the service account that you specified when you set up Assured OSS.
ASSURED_OSS_USER_EMAIL_ADDRESS: the email address of the user account that you used to set up Assured OSS.
Configure the egress rule when setting up Pub/Sub notifications
Complete this task to set up Pub/Sub notifications for Assured OSS.
Create the following egress rule:
- egressFrom:
- serviceAccount: ASSURED_OSS_EMAIL_ADDRESS
- user: ASSURED_OSS_USER_EMAIL_ADDRESS
egressTo:
operations:
- methodSelectors:
- method: Subscriber.CreateSubscription
serviceName: pubsub.googleapis.com
resources:
- projects/107114433875
Replace the following:
ASSURED_OSS_EMAIL_ADDRESS: the email address of the service account that you specified when you set up Assured OSS.
ASSURED_OSS_USER_EMAIL_ADDRESS: the email address of the user account that you used to set up Assured OSS.
After you configure the subscription, you can remove this egress rule.
What's next
Learn more about configuring egress policies.