Manage security for Private Service Connect producers

This page describes how service producers can implement security for producerorganizations and projects that use Private Service Connect.

Consumer accept lists let service owners specify networks orprojects that can connect to individualservice attachments.Organization policies alsocontrol access to service attachments, but they let networkadministrators broadly control access to all service attachments in anorganization.

Consumer accept lists and organization policies are complementary andcan be used together. In this case, a Private Service Connectconnection is only created if it is authorized by both of these securitymechanisms.

Roles

To get the permissions that you need to manage organization policies, ask your administrator to grant you theOrganization policy administrator (roles/orgpolicy.policyAdmin) IAM role on the organization. For more information about granting roles, seeManage access to projects, folders, and organizations.

You might also be able to get the required permissions throughcustom roles or otherpredefined roles.

Producer organization policies

You can useorganization policies with thecompute.restrictPrivateServiceConnectConsumerlist constraint to control which endpoints and backends canconnect to Private Service Connect service attachments. If an endpointor backend is rejected by a producer organization policy, the creation ofthe resource succeeds, but the connection enters the rejected state.

For more information, seeProducer-side organization policies.

Reject connections from unauthorized endpoints and backends

Resources: endpoints and backends

gcloud

  1. Create a temporary file called/tmp/policy.yaml to store the newpolicy. Add the following content to the file:

    name:organizations/PRODUCER_ORG/policies/compute.restrictPrivateServiceConnectConsumerspec:rules:-values:allowedValues:-under:organizations/CONSUMER_ORG_NUMBER

    Replace the following:

    • PRODUCER_ORG: theorganization IDof the producer organization that you want to control consumerPrivate Service Connect access to.
    • CONSUMER_ORG_NUMBER: the numeric resource ID ofthe consumer organization that you want to let connect to serviceattachments in the producer organization.

    To specify additional organizations that can connect to serviceattachments in your project, include additional entries in theallowedValues section.

    In addition to organizations, you can specify authorized folders andprojects in the following form:

    • under:folders/FOLDER_ID

      TheFOLDER_ID must be the numeric ID.

    • under:projects/PROJECT_ID

      ThePROJECT_ID must be the string ID.

    For example, the following file shows an organization policy configurationthat rejects connections from endpoints or backends to serviceattachments inProducer-org-1 unless they are associated with anallowed value or a descendant of an allowed value. The allowed valuesare the organizationConsumer-org-1, the projectConsumer-project-1,and the folderConsumer-folder-1.

    name:organizations/Producer-org-1/policies/compute.restrictPrivateServiceConnectConsumerspec:rules:-values:allowedValues:-under:organizations/Consumer-org-1-under:projects/Consumer-project-1-under:folders/Consumer-folder-1

  2. Apply the policy.

    gcloud org-policies set-policy /tmp/policy.yaml

  3. View the policy that is in effect.

    gcloud org-policies describe compute.restrictPrivateServiceConnectConsumer \    --effective \    --organization=PRODUCER_ORG

Consumer accept and reject lists

Resources: endpoints and backends

Consumer accept and reject lists are associated with service attachments. Theselists let you explicitly accept or deny connections from consumer projects ornetworks.

For more information, seeConsumer accept and reject lists.

Interaction between accept lists and organization policies

Both consumer accept lists and organization policies control whether a connection canbe established between two Private Service Connect resources. Connections are blockedif either an accept list or an organization policy denies the connection.

For example, a policy with therestrictPrivateServiceConnectConsumer constraint canbe configured to block connections from outside of the producer's organization. Even if aservice attachment is configured to automatically accept all connections, the organizationpolicy still blocks connections from outside of the producer's organization. We recommendusing both accept lists and organization policies together to help provide layeredsecurity.

Configure accept and reject lists

For information about how to create a new service attachment that has consumeraccept or reject lists, seePublish a service with explicit project approval.

For information about how to update consumer accept or reject lists, seeManage requests for access to a published service.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.