Some or all of the information on this page might not apply to Trusted Cloud by S3NS. See Differences from Google Cloud for more details.

Test an organization restrictions header before configuring an egress proxy

This page describes how Trusted Cloud by S3NS administrators can test organization restrictions without having to configure an egress proxy.

To create and test the organization restrictions header, do the following:

To get the Trusted Cloud by S3NS organization ID of the organization, use the gcloud organizations list command:
```
    gcloud organizations list
```
The following is the example output:
```
    DISPLAY_NAME: Organization A
    ID: 123456789
    DIRECTORY_CUSTOMER_ID: a1b2c3d4
```
After you get the organization ID, compose the JSON representation for the header value in the following format:
```
 {
 "resources": ["organizations/123456789"],
  "options": "strict"
 }
```
Encode the value for the request header by following the RFC 4648 Section 5 specifications.

For example, if the JSON representation for the header value is stored in the authorized_orgs.json file, the following is the encoding through basenc:
```
 $ OR_HEADER=`cat authorized_orgs.json | basenc --base64url -w0`
 $ echo $OR_HEADER
ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiXQogIm9wdGlvbnMiOiAic3RyaWN0Igp9Cgo=
```

To test whether header configuration allows access to a resource within an authorized Trusted Cloud by S3NS organization, create a curl request to a resource within an authorized Trusted Cloud by S3NS organization. Here is an example curl request:

# Get auth token
$ TOKEN=$(gcloud auth print-access-token)

# Make a request that includes the organization restriction header; this call makes a request to the logging API for a project within the same organization listed in the header
$ curl -H "X-Goog-Allowed-Resources: ${OR_HEADER}" -X POST -d '{"projectIds":
["my-project-123"]}' -H 'Content-Type: application/json' -H "Authorization: Bearer ${TOKEN}" "https://logging.googleapis.com/v2/entries:list"
# A successful request returns log entries in this project

To test whether header configuration denies access to a resource that is outside the authorized Trusted Cloud by S3NS organization, create a curl request to a resource outside an authorized Trusted Cloud by S3NS organization. Here is an example curl request:

# Get auth token
$ TOKEN=$(gcloud auth print-access-token)

# Make a request that includes the organization restriction header; this call makes a request to the logging API for a project not within the same organization listed in the header
$ curl -H "X-Goog-Allowed-Resources: ${OR_HEADER}" -X POST -d '{"projectIds": ["other-project-123"]}' -H 'Content-Type: application/json' -H "Authorization: Bearer ${TOKEN}" "https://logging.googleapis.com/v2/entries:list" 
{
  "error": {
 "code": 403,
    "message": "Access denied by organization restriction. Contact your administrator for additional information.",
    "status": "PERMISSION_DENIED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "reason": "ORG_RESTRICTION_VIOLATION",
        "domain": "googleapis.com",
        "metadata": {
          "service": "logging.googleapis.com",
          "consumer": "other-project-123"
        }
      }
    ]
  }
}

An access denied error message indicates that the request to the resource is denied.

What's next

Learn about using organization restrictions.
Learn about the services supported by organization restrictions.