{ "id": "policy/gcp-organization-policy-constraint-blocking-resource", "signature": "Resource 'projects/my-project/global/images/my-image' was disallowed by policy. Policy: 'constraints/compute.restrictNonCcslImages'. Reason: 'The resource is not in the allowed list of images.'", "signature_zh": "资源 'projects/my-project/global/images/my-image' 被策略禁止。策略:'constraints/compute.restrictNonCcslImages'。原因:'该资源不在允许的镜像列表中。'", "regex": "Resource '.*' was disallowed by policy\\. Policy: 'constraints/compute\\.restrictNonCcslImages'\\. Reason: 'The resource is not in the allowed list of images\\.'", "domain": "policy", "category": "config_error", "subcategory": null, "root_cause": "GCP organization policy constraint restricts non-CCSL (Google Cloud Customer-Supplied License) images, blocking custom image creation.", "root_cause_type": "generic", "root_cause_zh": "GCP 组织策略限制非 CCSL(Google Cloud 客户提供的许可证)镜像,阻止了自定义镜像的创建。", "versions": [ { "version": "gcloud 450.0.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Compute Engine API v1", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "Delete and recreate the image with a different name.", "why_fails": "The policy is based on image source, not name. Any non-CCSL image is blocked regardless of naming.", "fail_rate": 0.95, "condition": "", "sources": [] }, { "action": "Remove the constraint from the specific project only.", "why_fails": "Organization policy constraints are inherited from the organization level and cannot be overridden at project level without organization admin privileges.", "fail_rate": 0.8, "condition": "", "sources": [] }, { "action": "Use a different region to create the image.", "why_fails": "The constraint applies globally across all regions in the organization.", "fail_rate": 1.0, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Use an approved CCSL image from the allowed list. Run: 'gcloud compute images list --project=' to find valid images.", "success_rate": 0.85, "how": "Use an approved CCSL image from the allowed list. Run: 'gcloud compute images list --project=' to find valid images.", "condition": "", "sources": [] }, { "action": "Request exception from organization admin. Provide policy ID and resource details via: 'gcloud resource-manager org-policies describe constraints/compute.restrictNonCcslImages --organization='", "success_rate": 0.7, "how": "Request exception from organization admin. Provide policy ID and resource details via: 'gcloud resource-manager org-policies describe constraints/compute.restrictNonCcslImages --organization='", "condition": "", "sources": [] }, { "action": "Create a custom image from a CCSL base image using: 'gcloud compute images create my-custom-image --source-image= --source-image-project='", "success_rate": 0.9, "how": "Create a custom image from a CCSL base image using: 'gcloud compute images create my-custom-image --source-image= --source-image-project='", "condition": "", "sources": [] } ], "workarounds_zh": [ "Use an approved CCSL image from the allowed list. Run: 'gcloud compute images list --project=' to find valid images.", "Request exception from organization admin. Provide policy ID and resource details via: 'gcloud resource-manager org-policies describe constraints/compute.restrictNonCcslImages --organization='", "Create a custom image from a CCSL base image using: 'gcloud compute images create my-custom-image --source-image= --source-image-project='" ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://cloud.google.com/compute/docs/instances/restricting-image-access", "official_doc_section": null, "error_code": null, "verification_tier": "ai_generated", "confidence": 0.85, "fix_success_rate": 0.75, "resolvable": "true", "first_seen": "2024-03-15", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }