How do organization policies interact with IAM policies?

Organization policies and IAM policies are independent controls. IAM determines who can perform actions, while organization policies determine what actions are allowed regardless of who tries to perform them. A user may have IAM permission to create a VM, but an organization policy can prevent it if it violates location or configuration constraints.

Can I override organization policies at a lower level?

By default, policies are inherited down the hierarchy. You can configure a policy to inherit, merge with, or replace the parent policy at each level. Some constraints support exceptions for specific projects or folders. Careful hierarchy design is essential for balancing governance with team flexibility.

GCP Organization Policy Builder

IAM & SecurityGCP

Build organization policy constraints with boolean and list conditions.

Last verified: April 2026

Organization Policy Configuration

Organization ID (optional)

Policy Type

Constraint

Enforcement

Inherit from parent

Reset to default

Generated Organization Policy

{
  "name": "projects/PROJECT_ID/policies/compute.disableSerialPortAccess",
  "spec": {
    "rules": [
      {
        "enforce": true
      }
    ],
    "inheritFromParent": true,
    "reset": false
  }
}

See It in Action

Your cloud security team is hardening the GCP organization after a security audit. They use the builder to create three critical policies: disable service account key creation (preventing credential leaks), restrict VM locations to us-central1 and europe-west1 (data residency compliance), and restrict external IP assignment to approved load balancer projects only (reducing attack surface). Each policy is generated with the correct gcloud org-policies set-policy command and Terraform configuration, and they deploy all three through their IaC pipeline in a single PR.

What This Tool Does

The GCP Organization Policy Builder helps you create organization policy constraints that enforce governance rules across your Google Cloud resource hierarchy. Organization policies apply to organizations, folders, and projects, controlling behaviors like allowed VM locations, permitted external IP usage, and service account key creation. This tool guides you through selecting constraints, configuring allowed or denied values, and generates the policy for deployment via gcloud or Terraform.

Technical Details

The builder presents the catalog of available organization policy constraints organized by service (Compute, IAM, Cloud Storage, etc.). When you select a constraint, it shows the constraint type (boolean or list) and lets you configure allowed/denied values or enable/disable the boolean. It generates the policy in gcloud command format and Terraform google_organization_policy resource format, with the correct constraint name and policy specification.

Common Use Cases

1Build policies that restrict VM and resource creation to specific regions for data residency compliance.
2Create constraints that prevent the creation of service account keys to enforce workload identity federation.
3Configure policies that restrict which external IP addresses can be assigned to VMs and load balancers.
4Design resource location restrictions that limit which GCP regions your organization can deploy resources to.

Common Questions

How do organization policies interact with IAM policies?: Organization policies and IAM policies are independent controls. IAM determines who can perform actions, while organization policies determine what actions are allowed regardless of who tries to perform them. A user may have IAM permission to create a VM, but an organization policy can prevent it if it violates location or configuration constraints.
Can I override organization policies at a lower level?: By default, policies are inherited down the hierarchy. You can configure a policy to inherit, merge with, or replace the parent policy at each level. Some constraints support exceptions for specific projects or folders. Careful hierarchy design is essential for balancing governance with team flexibility.

Expert Tips

TIP

The constraints/iam.disableServiceAccountKeyCreation constraint is one of the most impactful organization policies you can enable. Service account keys are the number one source of GCP credential leaks. Enforce workload identity federation instead and only grant exceptions for legacy systems that genuinely cannot use keyless authentication.

TIP

Organization policies apply retroactively to new resources but do NOT modify existing resources. If you enable a location restriction policy, existing VMs in disallowed regions continue running but no new VMs can be created there. Audit existing resources separately after enabling a new policy.

TIP

Use the constraints/compute.restrictVpcPeering policy to prevent teams from creating unauthorized VPC peering connections. Unrestricted peering can create network paths that bypass your security controls. Allow peering only to shared VPC host projects and approved partner networks.

Featured In

Was this tool helpful?

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.