Console
    Start free

    Manage shared reservation creation

    By default, projects can't create or modify shared reservations. This document explains how to allow or restrict projects in your Google Cloud organization from creating and modifying shared reservations. Shared reservations help you maximize reserved capacity usage across projects, as well as manage one reservation instead of many.

    To learn more about the best practices for creating and using shared reservations, see Best practices for shared reservations .

    Before you begin

    • If you haven't already, set up authentication . Authentication verifies your identity for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine by selecting one of the following options:

      Select the tab for how you plan to use the samples on this page:

      Console

      When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.

      gcloud

      1. Install the Google Cloud CLI. After installation, initialize the Google Cloud CLI by running the following command:

        gcloud  
init

        If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity .

      2. Set a default region and zone .

    Required roles

    To get the permissions that you need to allow or restrict projects from creating shared reservations, ask your administrator to grant you the Organization Policy Administrator ( roles/orgpolicy.policyAdmin ) IAM role on the organization. For more information about granting roles, see Manage access to projects, folders, and organizations .

    This predefined role contains the permissions required to allow or restrict projects from creating shared reservations. To see the exact permissions that are required, expand the Required permissionssection:

    Required permissions

    The following permissions are required to allow or restrict projects from creating shared reservations:

    • To edit organization policies: orgpolicy.policy.set on the organization
    • To view organization policies: orgpolicy.policy.get on the organization

    You might also be able to get these permissions with custom roles or other predefined roles .

    Allow or restrict projects from creating shared reservations

    To allow or restrict a project from creating shared reservations, modify the allowlist within the shared reservations owner projects( compute.sharedReservationsOwnerProjects ) organization policy constraint .

    The following sections explain how to view or edit the shared reservations policy constraint in your project or organization.

    View the shared reservations organization policy constraint

    To view if your project or organization has the shared reservations owner projects ( compute.sharedReservationsOwnerProjects ) constraint enabled, select one of the following options:

    Console

    1. In the Google Cloud console, go to the Organization policiespage.

      Go to Organization policies

    2. From the project picker, select the project or organization for which you want to view organization policies.

    3. In the Filterfield, enter constraints/compute.sharedReservationsOwnerProjects .

    4. In the Namecolumn, click Shared reservations owner projects. The Policy detailspage appears.

    5. In the Effective policysection, verify whether your project or organization is allowed to create and modify shared reservations.

    gcloud

    To view which projects the compute.sharedReservationsOwnerProjects constraint allows to create and modify shared reservations:

    1. To download the policy for your organization as a file named policy.yaml , use the gcloud resource-manager org-policies describe command :

       gcloud resource-manager org-policies describe compute.sharedReservationsOwnerProjects \
    --organization= ORGANIZATION_ID 
> policy.yaml

      Replace ORGANIZATION_ID with the ID of your organization .

    2. Open the policy.yaml file in a text editor of your choice.

    3. View the compute.sharedReservationsOwnerProjects constraint. The projects that can create and modify shared reservations are listed in the allowedValues field, as shown in the following example:

        ... 
 constraint 
 : 
  
 constraints/compute.sharedReservationsOwnerProjects 
 listPolicy 
 : 
  
 allowedValues 
 : 
  
 - 
  
 projects/ EXAMPLE_PROJECT_NUMBER1 
 
  
 - 
  
 projects/ EXAMPLE_PROJECT_NUMBER2 
 
  
 - 
  
 projects/ EXAMPLE_PROJECT_NUMBER3 
 
  
 ... 
 ...

    4. Optional: To delete the policy.yaml file, do one of the following:

      • If you're using a Linux or macOS terminal, then run the following command:

         rm policy.yaml

      • If you're using a Windows terminal, then run the following command:

         del policy.yaml

    Edit the shared reservations organization policy constraint

    To edit which projects in your organization can create and modify shared reservations, select one of the following options:

    Console

    1. In the Google Cloud console, go to the Organization policiespage.

      Go to Organization policies

    2. From the project picker, select the organization for which you want to edit organization policies.

    3. In the Filterfield, enter constraints/compute.sharedReservationsOwnerProjects .

    4. In the Namecolumn, click Shared reservations owner projects. The Policy detailspage appears.

    5. Click Manage policy. The Policy detailspage appears.

    6. Select Override parent's policy. Then, in the Policy enforcementsection, select how you want to apply the policy:

      • Merge with parent: this option combines the project-level policy with the organization-level policy. Projects allowed at either level can create shared reservations.

      • Replace: this option overrides any inherited policies from higher levels. Only projects that are explicitly allowed at this level can create shared reservations.

    7. Click Add a rule.

    8. In the Policy valueslist, select Custom.

    9. In the Policy typelist, select one of the following options:

      • To authorize one or more projects to create or modify shared reservations, select Allow.

      • To prevent one or more projects from creating or modifying shared reservations, select Deny.

    10. In the Custom valuefield, enter the number of the project that you want to apply this rule to. For each additional project that you want to apply the rule to, click Add value, and then repeat this step.

    11. To apply these changes, click Set policy. The Organization policiespage appears.

    gcloud

    To edit which projects the compute.sharedReservationsOwnerProjects constraint allows to create and modify shared reservations, use one of the following methods:

    • To grant permission to a single project to create and modify shared reservations, use the gcloud resource-manager org-policies allow command . You can repeat this command for each project that you want to grant this permission to.

       gcloud resource-manager org-policies allow compute.sharedReservationsOwnerProjects projects/ PROJECT_NUMBER 
\
    --organization= ORGANIZATION_ID

      Replace the following:

    • To grant or revoke the permissions to multiple projects to create and modify shared reservations, replace the organization policy constraint. To do so, complete the following steps:

      1. To download the policy for your organization as a file named policy.yaml , use the gcloud resource-manager org-policies describe command :

         gcloud resource-manager org-policies describe compute.sharedReservationsOwnerProjects \
    --organization= ORGANIZATION_ID 
> policy.yaml

      2. Open the policy.yaml file in a text editor of your choice.

      3. Modify the allowedValues field to list all projects that can create and modify shared reservations.

        • For each project that you want to grant permission to, add the project number in a new line within the allowedValues field.

        • For each project that you want to revoke the permission to create and modify shared reservations, remove the project number from within the allowedValues field.

        The policy.yaml file looks similar to the following example:

          ... 
 constraint 
 : 
  
 constraints/compute.sharedReservationsOwnerProjects 
 listPolicy 
 : 
  
 allowedValues 
 : 
  
 - 
  
 projects/ EXAMPLE_PROJECT_NUMBER1 
 
  
 - 
  
 projects/ EXAMPLE_PROJECT_NUMBER2 
 
  
 - 
  
 projects/ EXAMPLE_PROJECT_NUMBER3 
 
  
 ... 
 ...

      4. Save the policy.yaml file and close the text editor.

      5. To update the policy for your organization, use the gcloud resource-manager org-policies set-policy command :

         gcloud resource-manager org-policies set-policy \
    --organization= ORGANIZATION_ID 
policy.yaml

      6. Optional: To delete the policy.yaml file, do one of the following:

        • If you're using a Linux or macOS terminal, then run the following command:

           rm policy.yaml

        • If you're using a Windows terminal, then run the following command:

           del policy.yaml

    Changes can take up to 15 minutes to take effect.

    What's next
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: