Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-07-22。"],[],[],null,["# Add predefined organization policies\n\n\u003cbr /\u003e\n\n[MySQL](/sql/docs/mysql/org-policy/configure-org-policy \"View this page for the MySQL database engine\") \\| PostgreSQL \\| [SQL Server](/sql/docs/sqlserver/org-policy/configure-org-policy \"View this page for the SQL Server database engine\")\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\nThis page describes how to add organization policies on Cloud SQL\ninstances, to put restrictions on Cloud SQL at the project, folder, or\norganization level. For an overview, see [Cloud SQL organization policies](/sql/docs/postgres/org-policy/org-policy).\n\nBefore you begin\n----------------\n\n- Sign in to your Google Cloud account. If you're new to Google Cloud, [create an account](https://console.cloud.google.com/freetrial) to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n [Install](/sdk/docs/install) the [gcloud CLI](/sdk/gcloud).\n\n- If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n-\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n [Install](/sdk/docs/install) the [gcloud CLI](/sdk/gcloud).\n\n- If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n-\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n\n1. Add the **Organization Policy Administrator** role ([`roles/orgpolicy.policyAdmin`](/iam/docs/understanding-roles#organization-policy-roles)) to your user or service account from the **IAM \\& Admin** page.\n\n\n [Go to the IAM accounts page](https://console.cloud.google.com/iam-admin/iam)\n2. See [Restrictions](/sql/docs/postgres/org-policy/org-policy#restrictions) before performing this procedure.\n\n\u003cbr /\u003e\n\nAdd the connection organization policy\n--------------------------------------\n\nFor an overview see [Connection organization policies](/sql/docs/postgres/org-policy/org-policy#connection-organization-policy).\n\nTo add a connection organization policy:\n\n1. Go to the **Organization policies** page.\n\n [Go to the Organization policies page](https://console.cloud.google.com/iam-admin/orgpolicies)\n2. Click projects dropdown menu in the top tab, and then select the project, folder,\n or organization that requires the organization policy. The\n **Organization policies** page displays a list of organization policy\n constraints that are available.\n\n3. Filter for the constraint `name` or `display_name`.\n\n - To disable access to or from the Internet:\n\n name: \"constraints/sql.restrictPublicIp\"\n display_name: \"Restrict Public IP access on Cloud SQL instances\"\n\n - To disable access from the internet when IAM authentication is missing\n (this does not affect access using Private IP):\n\n name: \"constraints/sql.restrictAuthorizedNetworks\"\n display_name: \"Restrict Authorized Networks on Cloud SQL instances\"\n\n4. Select the policy **Name** from the list.\n\n5. Click **Edit**.\n\n6. Click **Customize**.\n\n7. Click **Add rule**.\n\n8. Under **Enforcement** , click **On**.\n\n9. Click **Save**.\n\nAdd the CMEK organization policy\n--------------------------------\n\nFor an overview, see [Customer-managed encryption keys organization policies](/sql/docs/postgres/org-policy/org-policy#cmek-organization-policy).\n\nTo add a CMEK organization policy:\n\n1. Go to the **Organization policies** page.\n\n [Go to the Organization policies page](https://console.cloud.google.com/iam-admin/orgpolicies)\n2. Click projects dropdown menu in the top tab, and then select the project, folder,\n or organization that requires the organization policy. The\n **Organization policies** page displays a list of organization policy\n constraints that are available.\n\n3. Filter for the constraint `name` or `display_name`.\n\n - To put service names in a DENY list to ensure that CMEK is used in the\n resources for that service:\n\n name: \"constraints/gcp.restrictNonCmekServices\"\n display_name: \"Restrict which services may create resources without CMEK\"\n\n You must add `sqladmin.googleapis.com` to the list of restricted services\n with Deny.\n - To put project IDs in an ALLOW list to ensure that only keys from an\n instance of Cloud KMS within that project are used for CMEK.\n\n name: \"constraints/gcp.restrictCmekCryptoKeyProjects\"\n display_name: \"Restrict which projects may supply KMS CryptoKeys for CMEK\"\n\n4. Select the policy **Name** from the list.\n\n5. Click **Edit**.\n\n6. Click **Customize**.\n\n7. Click **Add rule**.\n\n8. Under **Policy values** , click **Custom**.\n\n9. For `constraints/gcp.restrictNonCmekServices`:\n a. Under **Policy types** , select **Deny** .\n b. Under **Custom values** , enter `sqladmin.googleapis.com`.\n\n For `constraints/gcp.restrictCmekCryptoKeyProjects`:\n a. Under **Policy types** , select **Allow** .\n b. Under **Custom values** , enter the resource using the following format:\n `under:organizations/ORGANIZATION_ID`,\n `under:folders/FOLDER_ID`, or `projects/PROJECT_ID`.\n10. Click **Done**.\n\n11. Click **Save**.\n\nWhat's next\n-----------\n\n- Learn about [Organization policies](/sql/docs/postgres/org-policy/org-policy).\n- Learn about how [private IP](/sql/docs/postgres/private-ip) works with Cloud SQL.\n- Learn how to [configure private IP](/sql/docs/postgres/configure-private-ip) for Cloud SQL.\n- Learn about the [organization policy service](/resource-manager/docs/organization-policy/overview).\n- Learn about [organization policy constraints](/resource-manager/docs/organization-policy/understanding-constraints)."]]
