This implementation is only valid for resources hosted within Solvay's GCP organization.
GCP projects hosted with Syensqo's GCP organization will not be impacted.
On top of this, the Solvay's GCP CloudOps will avoid to implement this limitation on GCP projects in Solvay that involves Syensqo's usage.

For further information, please contact the Syensqo's GCP support team.


Why am I not able to call the Google APIs with Google Service Accounts?

There are several possibilities that you are not able to call the Google APIs with Google Service Accounts.
To understand the reason, please observed the error message returned.

  • Connect Timeout - This indicates the connection to the Google APIs are not possible. This usually arised when there is a Firewall on the computer or network blocking the traffic.
  • Request is prohibited by organization's policy. vpcServiceControlsUniqueIdentifier: xxx - This indicates the connection to the Google APIs are rejected because the internet Gateway's IP that the service account is using from (client application), is not one of the allowed IPs for the service account to be used from.
  • Any other errors - Google returned the error messageĀ 



Why do the Google Service Accounts need the client application's Internet Gateway's IP?

Google Service Accounts are identified by Security to be a likely avenue for bad actors to extract Solvay's data.

Therefore, since Nov-2024, Application Owner for each GCP projects will need to provide the Internet Gateway's IPs for each clients to the GCP CloudOps to implement the VPC Service Control.
These IPs will then be allowed to call the Google APIs with the Google Service Accounts.
IPs not within this list will be rejected with the error message "Request is prohibited by organization's policy. vpcServiceControlsUniqueIdentifier: xxx".


The Client's Internet Gateway IP should be allowed to call the Google APIs, how should I get it?

If you identify there is a client's Internet Gateway IP needs to be added, please discuss with the application owner and the application owner will submit a ticket to the GCP CloudOps for additional implementation.

Please note that:

  • theĀ IP must be the Public IP used to access the internet, not the IP address of the VM.
    You can obtain this information if you execute this command
    curl ipinfo.io/ip
  • Google Service Account should only be used on Application servers, not individual laptops. The exception for laptops can only be for Dev environment and via Solvay's VPN.


How come for some GCP projects, there are no such restriction, while other GCP projects there are?

This is normal as the teams are working progressively to implement the VPC Service Control, project by project.

The implementation will be impactful to many existing project usage, therefore the implementation will taken individually.