policy
config_error
ai_generated
true
Resource 'projects/my-project/global/images/my-image' was disallowed by policy. Policy: 'constraints/compute.restrictNonCcslImages'. Reason: 'The resource is not in the allowed list of images.'
ID: policy/gcp-organization-policy-constraint-blocking-resource
75%Fix Rate
85%Confidence
1Evidence
2024-03-15First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| gcloud 450.0.0 | active | — | — | — |
| Compute Engine API v1 | active | — | — | — |
Root Cause
GCP organization policy constraint restricts non-CCSL (Google Cloud Customer-Supplied License) images, blocking custom image creation.
generic中文
GCP 组织策略限制非 CCSL(Google Cloud 客户提供的许可证)镜像,阻止了自定义镜像的创建。
Official Documentation
https://cloud.google.com/compute/docs/instances/restricting-image-accessWorkarounds
-
85% success Use an approved CCSL image from the allowed list. Run: 'gcloud compute images list --project=<approved-project>' to find valid images.
Use an approved CCSL image from the allowed list. Run: 'gcloud compute images list --project=<approved-project>' to find valid images.
-
70% success Request exception from organization admin. Provide policy ID and resource details via: 'gcloud resource-manager org-policies describe constraints/compute.restrictNonCcslImages --organization=<ORG_ID>'
Request exception from organization admin. Provide policy ID and resource details via: 'gcloud resource-manager org-policies describe constraints/compute.restrictNonCcslImages --organization=<ORG_ID>'
-
90% success Create a custom image from a CCSL base image using: 'gcloud compute images create my-custom-image --source-image=<ccsl-image> --source-image-project=<project>'
Create a custom image from a CCSL base image using: 'gcloud compute images create my-custom-image --source-image=<ccsl-image> --source-image-project=<project>'
中文步骤
Use an approved CCSL image from the allowed list. Run: 'gcloud compute images list --project=<approved-project>' to find valid images.
Request exception from organization admin. Provide policy ID and resource details via: 'gcloud resource-manager org-policies describe constraints/compute.restrictNonCcslImages --organization=<ORG_ID>'
Create a custom image from a CCSL base image using: 'gcloud compute images create my-custom-image --source-image=<ccsl-image> --source-image-project=<project>'
Dead Ends
Common approaches that don't work:
-
Delete and recreate the image with a different name.
95% fail
The policy is based on image source, not name. Any non-CCSL image is blocked regardless of naming.
-
Remove the constraint from the specific project only.
80% fail
Organization policy constraints are inherited from the organization level and cannot be overridden at project level without organization admin privileges.
-
Use a different region to create the image.
100% fail
The constraint applies globally across all regions in the organization.