Manage shared reservation creation

By default, projects can't create or modify shared reservations. This document explains how to allow or restrict projects in your Google Cloud organization from creating and modifying shared reservations. Shared reservations help you maximize reserved capacity usage across projects, as well as manage one reservation instead of many.

To learn more about the best practices for creating and using shared reservations, see Best practices for shared reservations.

Before you begin

If you haven't already, set up authentication. Authentication verifies your identity for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine by selecting one of the following options:
Select the tab for how you plan to use the samples on this page:
Console

When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.
gcloud
1. Install the Google Cloud CLI. After installation, initialize the Google Cloud CLI by running the following command:
  gcloud init
  If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
  
  Note: If you installed the gcloud CLI previously, make sure you have the latest version by running gcloud components update.
2. Set a default region and zone.

Required roles

To get the permissions that you need to allow or restrict projects from creating shared reservations, ask your administrator to grant you the Organization Policy Administrator (roles/orgpolicy.policyAdmin) IAM role on the organization. For more information about granting roles, see Manage access to projects, folders, and organizations.

This predefined role contains the permissions required to allow or restrict projects from creating shared reservations. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to allow or restrict projects from creating shared reservations:

To edit organization policies: orgpolicy.policy.set on the organization
To view organization policies: orgpolicy.policy.get on the organization

You might also be able to get these permissions with custom roles or other predefined roles.

Allow or restrict projects from creating shared reservations

To allow or restrict a project from creating shared reservations, modify the allowlist within the shared reservations owner projects (compute.sharedReservationsOwnerProjects) organization policy constraint.

The following sections explain how to view or edit the shared reservations policy constraint in your project or organization.

View the shared reservations organization policy constraint

To view if your project or organization has the shared reservations owner projects (compute.sharedReservationsOwnerProjects) constraint enabled, select one of the following options:

Console

In the Google Cloud console, go to the Organization policies page.

Go to Organization policies
From the project picker, select the project or organization for which you want to view organization policies.
In the Filter field, enter constraints/compute.sharedReservationsOwnerProjects.
In the Name column, click Shared reservations owner projects. The Policy details page appears.
In the Effective policy section, verify whether your project or organization is allowed to create and modify shared reservations.

gcloud

To view which projects the compute.sharedReservationsOwnerProjects constraint allows to create and modify shared reservations:

To download the policy for your organization as a file named policy.yaml, use the gcloud resource-manager org-policies describe command:
```
gcloud resource-manager org-policies describe compute.sharedReservationsOwnerProjects \
    --organization=ORGANIZATION_ID > policy.yaml
```
Replace ORGANIZATION_ID with the ID of your organization.
Open the policy.yaml file in a text editor of your choice.

View the compute.sharedReservationsOwnerProjects constraint. The projects that can create and modify shared reservations are listed in the allowedValues field, as shown in the following example:

...
constraint: constraints/compute.sharedReservationsOwnerProjects
listPolicy:
  allowedValues:
  - projects/EXAMPLE_PROJECT_NUMBER1
  - projects/EXAMPLE_PROJECT_NUMBER2
  - projects/EXAMPLE_PROJECT_NUMBER3
  ...
...

Optional: To delete the policy.yaml file, do one of the following:
- If you're using a Linux or macOS terminal, then run the following command:
```
rm policy.yaml
```
- If you're using a Windows terminal, then run the following command:
```
del policy.yaml
```

Edit the shared reservations organization policy constraint

To edit which projects in your organization can create and modify shared reservations, select one of the following options:

Console

In the Google Cloud console, go to the Organization policies page.

Go to Organization policies
From the project picker, select the organization for which you want to edit organization policies.
In the Filter field, enter constraints/compute.sharedReservationsOwnerProjects.
In the Name column, click Shared reservations owner projects. The Policy details page appears.
Click Manage policy. The Policy details page appears.
Select Override parent's policy. Then, in the Policy enforcement section, select how you want to apply the policy:
- Merge with parent: this option combines the project-level policy with the organization-level policy. Projects allowed at either level can create shared reservations.
- Replace: this option overrides any inherited policies from higher levels. Only projects that are explicitly allowed at this level can create shared reservations.
Click Add a rule.
In the Policy values list, select Custom.
In the Policy type list, select one of the following options:
- To authorize one or more projects to create or modify shared reservations, select Allow.
- To prevent one or more projects from creating or modifying shared reservations, select Deny.
In the Custom value field, enter the number of the project that you want to apply this rule to. For each additional project that you want to apply the rule to, click Add value, and then repeat this step.
To apply these changes, click Set policy. The Organization policies page appears.

gcloud

To edit which projects the compute.sharedReservationsOwnerProjects constraint allows to create and modify shared reservations, use one of the following methods:

To grant permission to a single project to create and modify shared reservations, use the gcloud resource-manager org-policies allow command. You can repeat this command for each project that you want to grant this permission to.
```
gcloud resource-manager org-policies allow compute.sharedReservationsOwnerProjects projects/PROJECT_NUMBER \
    --organization=ORGANIZATION_ID
```
Replace the following:
- PROJECT_NUMBER: the number of the project.
- ORGANIZATION_ID: the ID of your organization.
To grant or revoke the permissions to multiple projects to create and modify shared reservations, replace the organization policy constraint. To do so, complete the following steps:
1. To download the policy for your organization as a file named policy.yaml, use the gcloud resource-manager org-policies describe command:
```
gcloud resource-manager org-policies describe compute.sharedReservationsOwnerProjects \
    --organization=ORGANIZATION_ID > policy.yaml
```
2. Open the policy.yaml file in a text editor of your choice.
3. Modify the allowedValues field to list all projects that can create and modify shared reservations.
  - For each project that you want to grant permission to, add the project number in a new line within the allowedValues field.
  - For each project that you want to revoke the permission to create and modify shared reservations, remove the project number from within the allowedValues field.
  The policy.yaml file looks similar to the following example:
```
...
constraint: constraints/compute.sharedReservationsOwnerProjects
listPolicy:
  allowedValues:
  - projects/EXAMPLE_PROJECT_NUMBER1
  - projects/EXAMPLE_PROJECT_NUMBER2
  - projects/EXAMPLE_PROJECT_NUMBER3
  ...
...
```
4. Save the policy.yaml file and close the text editor.
5. To update the policy for your organization, use the gcloud resource-manager org-policies set-policy command:
```
gcloud resource-manager org-policies set-policy \
    --organization=ORGANIZATION_ID policy.yaml
```
6. Optional: To delete the policy.yaml file, do one of the following:
  - If you're using a Linux or macOS terminal, then run the following command:
```
rm policy.yaml
```
  - If you're using a Windows terminal, then run the following command:
```
del policy.yaml
```

Changes can take up to 15 minutes to take effect.

Manage shared reservation creation Stay organized with collections Save and categorize content based on your preferences.

Before you begin

Console

gcloud

Required roles

Required permissions

Allow or restrict projects from creating shared reservations

View the shared reservations organization policy constraint

Console

gcloud

Edit the shared reservations organization policy constraint

Console

gcloud

What's next

Manage shared reservation creation