Stay organized with collections
Save and categorize content based on your preferences.
By default, users in your project can create persistent disks or copy
images using any of the
public images
and any images that
principals can access through IAM roles.
However, in some situations you might want to restrict principals so that they
can create boot disks only from images that contain approved software that meets
your policy or security requirements.
Use the Trusted image feature to define an organization policy that
allows principals to create persistent disks only from images in specific
projects.
If you haven't already, set up authentication.
Authentication verifies your identity for access to Google Cloud services and APIs. To run
code or samples from a local development environment, you can authenticate to
Compute Engine by selecting one of the following options:
Select the tab for how you plan to use the samples on this page:
Console
When you use the Google Cloud console to access Google Cloud services and
APIs, you don't need to set up authentication.
gcloud
Install the Google Cloud CLI.
After installation,
initialize the Google Cloud CLI by running the following command:
Trusted image policies do not prevent users from creating image resources in
their local projects.
Set image access constraints
Enact an image access policy by setting a compute.trustedImageProjects
constraint on your project, your folder, or your organization. You must have
permission to modify organization policies to set these constraints. For
example,
roles/orgpolicy.policyAdmin
has permission to set these constraints. For more information about managing
policies at the project, folder, or organization level, see
Using constraints.
You can set constraints on all public images available on Compute Engine.
For a list of image project names, see Operating systems details.
You can also restrict the Machine Learning (ML) images that are available on
Compute Engine by using the ml-images project. If you are using
Serverless VPC Access,
grant your project permission to use Compute Engine VM images from the
serverless-vpc-access-images project.
Use the Google Cloud console or Google Cloud CLI to set constraints on image access.
Console
For example, to set a constraint at the project level, do the following:
From the policies list, click Define trusted image projects.
The Policy details page displays.
On the Policy details page, click Manage Policy. The Edit policy
page displays.
On the Edit policy page, select Customize.
For Policy enforcement, select an enforcement option. For information
about inheritance and the resource hierarchy, see
Understanding Hierarchy Evaluation.
Click Add rule.
In the Policy values list, you can select whether this organization
policy should allow access to all image projects, deny access to all image
projects, or you can specify a custom set of projects to allow or deny
access to.
To set the policy rule, complete one of the following options:
To allow users to create boot disks from all public images,
select Allow All.
To restrict users from creating boot disk from all public images,
select Deny All.
To specify a select set of public images that users can create boot
disks from, select Custom.
A Policy type and Custom values field displays.
In the Policy type list, select Allow or Deny.
In the Custom values field, enter the name of the image project
using the projects/IMAGE_PROJECT format.
Replace IMAGE_PROJECT with the image project
you want to set the constraint on.
You can add multiple image projects. For each image project that
you want to add, click Add and enter the image project name.
To save the rule, click Done.
To save and apply the organization policy, click Save.
Open the policy.yaml file in a text editor and modify the
compute.trustedImageProjects constraint. Add the restrictions that you
need and remove the restrictions that you no longer require. When you
have finished editing the file, save your changes. For example,
you might set the following constraint entry in your policy file:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eTrusted image policies allow you to restrict the creation of persistent disks to only use images from specific projects, helping to enforce security and policy requirements.\u003c/p\u003e\n"],["\u003cp\u003eYou can set image access constraints by using the \u003ccode\u003ecompute.trustedImageProjects\u003c/code\u003e constraint at the project, folder, or organization level, allowing you to control which images can be used for boot disks.\u003c/p\u003e\n"],["\u003cp\u003eTrusted image policies do not affect access to custom images within your local project or image files in Cloud Storage buckets, and they do not prevent users from creating image resources in their local projects.\u003c/p\u003e\n"],["\u003cp\u003eImage access constraints can be configured to allow or deny the use of all public images or to specify a custom set of image projects that users can create boot disks from.\u003c/p\u003e\n"],["\u003cp\u003eTo implement constraints, you can use either the Google Cloud console or the gcloud CLI, with the latter requiring you to modify a policy.yaml file that outlines your specific restrictions.\u003c/p\u003e\n"]]],[],null,["# Setting up trusted image policies\n\n*** ** * ** ***\n\nBy default, users in your project can create persistent disks or copy\nimages using any of the\n[public images](/compute/docs/images#os-compute-support)\nand any images that\n[principals can access through IAM roles](/compute/docs/images/sharing-images-across-projects).\nHowever, in some situations you might want to restrict principals so that they\ncan create boot disks only from images that contain approved software that meets\nyour policy or security requirements.\n\nUse the Trusted image feature to define an organization policy that\nallows principals to create persistent disks only from images in specific\nprojects.\n\nTo restrict the locations where your images can be used, read\n[restricting use of your shared images, disks, and snapshots](/compute/docs/images/sharing-images-across-projects#restrict).\n\nBefore you begin\n----------------\n\n- Read the [Using constraints](/resource-manager/docs/organization-policy/using-constraints) page to learn about managing policies at organization level.\n- Read the [Understanding hierarchy evaluation](/resource-manager/docs/organization-policy/understanding-hierarchy) page to learn how organization policies propagate.\n- If you haven't already, set up [authentication](/compute/docs/authentication). Authentication verifies your identity for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine by selecting one of the following options:\n\n Select the tab for how you plan to use the samples on this page: \n\n ### Console\n\n\n When you use the Google Cloud console to access Google Cloud services and\n APIs, you don't need to set up authentication.\n\n ### gcloud\n\n 1.\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n After installation,\n [initialize](/sdk/docs/initializing) the Google Cloud CLI by running the following command:\n\n ```bash\n gcloud init\n ```\n\n\n If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n | **Note:** If you installed the gcloud CLI previously, make sure you have the latest version by running `gcloud components update`.\n 2. [Set a default region and zone](/compute/docs/gcloud-compute#set_default_zone_and_region_in_your_local_client).\n\n ### REST\n\n\n To use the REST API samples on this page in a local development environment, you use the\n credentials you provide to the gcloud CLI.\n 1. [Install](/sdk/docs/install) the Google Cloud CLI. After installation, [initialize](/sdk/docs/initializing) the Google Cloud CLI by running the following command: \n\n ```bash\n gcloud init\n ```\n 2. If you're using an external identity provider (IdP), you must first [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n\n For more information, see\n [Authenticate for using REST](/docs/authentication/rest)\n in the Google Cloud authentication documentation.\n\nLimitations\n-----------\n\n- Trusted image policies do not restrict access to the following images:\n\n - [Custom images](/compute/docs/images#custom_images) in your local project.\n\n - Image files in Cloud Storage buckets.\n\n- Trusted image policies do not prevent users from creating image resources in\n their local projects.\n\nSet image access constraints\n----------------------------\n\nEnact an image access policy by setting a `compute.trustedImageProjects`\nconstraint on your project, your folder, or your organization. You must have\npermission to modify organization policies to set these constraints. For\nexample,\n[`roles/orgpolicy.policyAdmin`](/resource-manager/docs/access-control-org)\nhas permission to set these constraints. For more information about managing\npolicies at the project, folder, or organization level, see\n[Using constraints](/resource-manager/docs/organization-policy/using-constraints).\n\nYou can set constraints on all public images available on Compute Engine.\nFor a list of image project names, see [Operating systems details](/compute/docs/images/os-details).\nYou can also restrict the Machine Learning (ML) images that are available on\nCompute Engine by using the `ml-images` project. If you are using\n[Serverless VPC Access](/vpc/docs/configure-serverless-vpc-access#errors),\ngrant your project permission to use Compute Engine VM images from the\n`serverless-vpc-access-images` project.\n\nUse the Google Cloud console or Google Cloud CLI to set constraints on image access. \n\n### Console\n\nFor example, to set a constraint at the project level, do the following:\n\n1. Go to the **Organization policies** page.\n\n [Go to Organization policies](https://console.cloud.google.com/iam-admin/orgpolicies/)\n2. From the policies list, click **Define trusted image projects** .\n The **Policy details** page displays.\n\n3. On the **Policy details** page, click **Manage Policy** . The **Edit policy**\n page displays.\n\n4. On the **Edit policy** page, select **Customize**.\n\n5. For **Policy enforcement** , select an enforcement option. For information\n about inheritance and the resource hierarchy, see\n [Understanding Hierarchy Evaluation](/resource-manager/docs/organization-policy/understanding-hierarchy).\n\n6. Click **Add rule**.\n\n7. In the **Policy values** list, you can select whether this organization\n policy should allow access to all image projects, deny access to all image\n projects, or you can specify a custom set of projects to allow or deny\n access to.\n\n To set the policy rule, complete one of the following options:\n - To allow users to create boot disks from all public images, select **Allow All**.\n - To restrict users from creating boot disk from all public images, select **Deny All**.\n - To specify a select set of public images that users can create boot\n disks from, select **Custom** .\n A **Policy type** and **Custom values** field displays.\n\n 1. In the **Policy type** list, select **Allow** or **Deny**.\n 2. In the **Custom values** field, enter the name of the image project\n using the `projects/`\u003cvar translate=\"no\"\u003eIMAGE_PROJECT\u003c/var\u003e format.\n\n Replace \u003cvar translate=\"no\"\u003eIMAGE_PROJECT\u003c/var\u003e with the image project\n you want to set the constraint on.\n\n You can add multiple image projects. For each image project that\n you want to add, click **Add** and enter the image project name.\n8. To save the rule, click **Done**.\n\n9. To save and apply the organization policy, click **Save**.\n\nFor more information about creating organization policies, see\n[Creating and managing organization policies](/resource-manager/docs/organization-policy/creating-managing-policies).\n\n### gcloud\n\nFor example, to set a constraint at the project level, do the following:\n\n1. Get the existing policy settings for your project by using the [`resource-manager org-policies describe`](/sdk/gcloud/reference/resource-manager/org-policies/describe) command.\n\n ```\n gcloud resource-manager org-policies describe \\\n compute.trustedImageProjects --project=PROJECT_ID \\\n --effective \u003e policy.yaml\n ```\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with your project ID.\n2. Open the `policy.yaml` file in a text editor and modify the\n `compute.trustedImageProjects` constraint. Add the restrictions that you\n need and remove the restrictions that you no longer require. When you\n have finished editing the file, save your changes. For example,\n you might set the following constraint entry in your policy file:\n\n ```\n constraint: constraints/compute.trustedImageProjects\n listPolicy:\n allowedValues:\n - projects/debian-cloud\n - projects/cos-cloud\n deniedValues:\n - projects/IMAGE_PROJECT\n ```\n\n Replace \u003cvar translate=\"no\"\u003eIMAGE_PROJECT\u003c/var\u003e with the name of the image project that you want to restrict in your project.\n\n Optionally, you might want to deny access to all images outside of\n the custom images in your project. For that situation, use the\n following example: \n\n ```\n constraint: constraints/compute.trustedImageProjects\n listPolicy:\n allValues: DENY\n ```\n\n \u003cbr /\u003e\n\n3. Apply the `policy.yaml` file to your project. If your\n [organization or folder has existing constraints](/resource-manager/docs/organization-policy/understanding-policies),\n those constraints might conflict with project-level constraints that\n you set. To apply the constraint, use the [`resource-manager org-policies set-policy`](/sdk/gcloud/reference/resource-manager/org-policies/set-policy) command.\n\n ```\n gcloud resource-manager org-policies set-policy \\\n policy.yaml --project=PROJECT_ID\n ```\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with your project ID.\n\nWhen you have finished configuring the constraints,\ntest those constraints to ensure that they create the restrictions that you\nneed.\n\nWhat's next\n-----------\n\n- Learn more about the [Organization Policy Service](/resource-manager/docs/organization-policy/overview).\n- See what [public images](/compute/docs/images) are available for you to use by default.\n- [Share your private image](/compute/docs/images/sharing-images-across-projects) with other projects.\n- Learn how to [restrict use of your shared images, disks, and snapshots](/compute/docs/images/sharing-images-across-projects#restrict).\n- Learn how to [start an instance from an image](/compute/docs/instances/creating-and-starting-an-instance#startinginstancwithimage)."]]
