[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Configure Assured OSS support for VPC Service Controls\n\n| Enterprise [service tier](/security-command-center/docs/service-tiers)\n\nIf you enable Assured Open Source Software (Assured OSS) within a VPC Service Controls service\nperimeter, you must configure egress rules.\n\nThis document applies to the premium tier of\nAssured Open Source Software only.\n\nFor more information, see [Configuring egress\npolicies](/vpc-service-controls/docs/configuring-ingress-egress-policies).\n\nBefore you begin\n----------------\n\n1. Make sure that you have the [required roles to configure\n VPC Service Controls](/vpc-service-controls/docs/access-control) at the\n organization level.\n\n2. Make sure that you know the following information:\n\n - The service account that you used to set up Assured OSS.\n - The [Artifact Registry service agent](/artifact-registry/docs/ar-service-account) that was created automatically when you set up Assured OSS.\n - The user account that set up Assured OSS.\n\nConfigure the egress rule when downloading binaries from Assured OSS repositories\n---------------------------------------------------------------------------------\n\nComplete this task for your Artifact Registry repositories.\n\nConfigure the following egress rule: \n\n - egressFrom:\n identities:\n - serviceAccount: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eASSURED_OSS_EMAIL_ADDRESS\u003c/span\u003e\u003c/var\u003e\n - serviceAccount: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eARTIFACT_REPOSITORY_EMAIL_ADDRESS\u003c/span\u003e\u003c/var\u003e\n - serviceAccount: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eOTHER_SERVICE_ACCOUNT_EMAIL_ADDRESS\u003c/span\u003e\u003c/var\u003e\n - \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eUSER_GROUP\u003c/span\u003e\u003c/var\u003e\n egressTo:\n operations:\n - methodSelectors:\n - method: artifactregistry.googleapis.com/MavenRead\n - method: artifactregistry.googleapis.com/NPMRead\n - method: artifactregistry.googleapis.com/PythonRead\n serviceName: artifactregistry.googleapis.com\n resources:\n - projects/855934472549\n - projects/107114433875\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eASSURED_OSS_EMAIL_ADDRESS\u003c/var\u003e: the email address of the\n service account that you specified when you set up Assured OSS.\n\n- \u003cvar translate=\"no\"\u003eARTIFACT_REGISTRY_EMAIL_ADDRESS\u003c/var\u003e: the email\n address of the Artifact Registry service agent.\n\n- \u003cvar translate=\"no\"\u003eOTHER_SERVICE_ACCOUNT_EMAIL_ADDRESS\u003c/var\u003e: the email\n addresses of other service accounts that require access to the open source\n packages.\n\n- \u003cvar translate=\"no\"\u003eUSER_GROUP\u003c/var\u003e: the groups that require\n access to the open source packages. For example, `group:my-group@example.com`\n or `user:alex@example.com`.\n\nConfigure the egress rule when accessing security metadata from the Assured OSS bucket\n--------------------------------------------------------------------------------------\n\nComplete this task for the user account and service account that you used to\nset up Assured OSS.\n\nConfigure the following egress rule: \n\n - egressFrom:\n identities:\n - serviceAccount: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eASSURED_OSS_EMAIL_ADDRESS\u003c/span\u003e\u003c/var\u003e\n - user: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eASSURED_OSS_USER_EMAIL_ADDRESS\u003c/span\u003e\u003c/var\u003e\n egressTo:\n operations:\n - methodSelectors:\n - method: google.storage.objects.get\n - method: google.storage.objects.list\n serviceName: storage.googleapis.com\n resources:\n - projects/107114433875\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eASSURED_OSS_EMAIL_ADDRESS\u003c/var\u003e: the email address of the\n service account that you specified when you set up Assured OSS.\n\n- \u003cvar translate=\"no\"\u003eASSURED_OSS_USER_EMAIL_ADDRESS\u003c/var\u003e: the email\n address of the user account that you used to set up Assured OSS.\n\nConfigure the egress rule when setting up Pub/Sub notifications\n---------------------------------------------------------------\n\nComplete this task to set up [Pub/Sub notifications for\nAssured OSS](/assured-open-source-software/docs/use-notifications).\n\nCreate the following egress rule: \n\n - egressFrom:\n - serviceAccount: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eASSURED_OSS_EMAIL_ADDRESS\u003c/span\u003e\u003c/var\u003e\n - user: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eASSURED_OSS_USER_EMAIL_ADDRESS\u003c/span\u003e\u003c/var\u003e\n egressTo:\n operations:\n - methodSelectors:\n - method: Subscriber.CreateSubscription\n serviceName: pubsub.googleapis.com\n resources:\n - projects/107114433875\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eASSURED_OSS_EMAIL_ADDRESS\u003c/var\u003e: the email address of the\n service account that you specified when you set up Assured OSS.\n\n- \u003cvar translate=\"no\"\u003eASSURED_OSS_USER_EMAIL_ADDRESS\u003c/var\u003e: the email\n address of the user account that you used to set up Assured OSS.\n\nAfter you configure the subscription, you can remove this egress rule.\n\nWhat's next\n-----------\n\n- Learn more about [configuring egress policies](/vpc-service-controls/docs/configuring-ingress-egress-policies).\n\n- [Enable Security Command Center with VPC Service Controls](/vpc-service-controls/docs/supported-products#table_security_command_center)."]]