Manage shared reservation creation
By default, projects can't create or modify shared reservations. This documentexplains how to allow or restrict projects in your Google Cloud organizationfrom creating and modifying shared reservations. Shared reservations help youmaximize reserved capacity usage across projects, as well as manage onereservation instead of many.
To learn more about the best practices for creating and using sharedreservations, seeBest practices for shared reservations.
Before you begin
- If you haven't already, set upauthentication. Authentication verifies your identity for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine by selecting one of the following options:
Select the tab for how you plan to use the samples on this page:
Console
When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.
gcloud
Install the Google Cloud CLI. After installation,initialize the Google Cloud CLI by running the following command:
gcloudinit
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.- Set a default region and zone.
Required roles
To get the permissions that you need to allow or restrict projects from creating shared reservations, ask your administrator to grant you theOrganization Policy Administrator (roles/orgpolicy.policyAdmin) IAM role on the organization. For more information about granting roles, seeManage access to projects, folders, and organizations.
This predefined role contains the permissions required to allow or restrict projects from creating shared reservations. To see the exact permissions that are required, expand theRequired permissions section:
Required permissions
The following permissions are required to allow or restrict projects from creating shared reservations:
- To edit organization policies:
orgpolicy.policy.seton the organization - To view organization policies:
orgpolicy.policy.geton the organization
You might also be able to get these permissions withcustom roles or otherpredefined roles.
Allow or restrict projects from creating shared reservations
To allow or restrict a project from creating shared reservations, modify theallowlist within theshared reservations owner projects (compute.sharedReservationsOwnerProjects) organization policy constraint.
The following sections explain how to view or edit the shared reservationspolicy constraint in your project or organization.
View the shared reservations organization policy constraint
To view if your project or organization has the shared reservations ownerprojects (compute.sharedReservationsOwnerProjects) constraint enabled, selectone of the following options:
Console
In the Google Cloud console, go to theOrganization policies page.
From the project picker, select the project or organization for whichyou want to view organization policies.
In theFilter field,enter
constraints/compute.sharedReservationsOwnerProjects.In theName column, clickShared reservations owner projects.ThePolicy details page appears.
In theEffective policy section, verify whether your project ororganization is allowed to create and modify shared reservations.
gcloud
To view which projects thecompute.sharedReservationsOwnerProjectsconstraint allows to create and modify shared reservations:
To download the policy for your organization as a file named
policy.yaml, use thegcloud resource-manager org-policies describecommand:gcloud resource-manager org-policies describe compute.sharedReservationsOwnerProjects \ --organization=ORGANIZATION_ID > policy.yamlReplaceORGANIZATION_ID with theID of your organization.
Open the
policy.yamlfile in a text editor of your choice.View the
compute.sharedReservationsOwnerProjectsconstraint. Theprojects that can create and modify shared reservations are listed intheallowedValuesfield, as shown in the following example:...constraint:constraints/compute.sharedReservationsOwnerProjectslistPolicy:allowedValues:-projects/EXAMPLE_PROJECT_NUMBER1-projects/EXAMPLE_PROJECT_NUMBER2-projects/EXAMPLE_PROJECT_NUMBER3......Optional: To delete the
policy.yamlfile, do one of the following:If you're using a Linux or macOS terminal, then run the followingcommand:
rm policy.yamlIf you're using a Windows terminal, then run the following command:
del policy.yaml
Edit the shared reservations organization policy constraint
To edit which projects in your organization can create and modify sharedreservations, select one of the following options:
Console
In the Google Cloud console, go to theOrganization policies page.
From the project picker, select the organization for which you want toedit organization policies.
In theFilter field,enter
constraints/compute.sharedReservationsOwnerProjects.In theName column, clickShared reservations owner projects.ThePolicy details page appears.
ClickManage policy. ThePolicy details page appears.
SelectOverride parent's policy. Then, in thePolicy enforcementsection, select how you want to apply the policy:
Merge with parent: this option combines the project-level policywith the organization-level policy. Projects allowed at either levelcan create shared reservations.
Replace: this option overrides any inherited policies fromhigher levels. Only projects that are explicitly allowed at thislevel can create shared reservations.
ClickAdd a rule.
In thePolicy values list, selectCustom.
In thePolicy type list, select one of the following options:
To authorize one or more projects to create or modify sharedreservations, selectAllow.
To prevent one or more projects from creating or modifying sharedreservations, selectDeny.
In theCustom value field, enter the number of the project that youwant to apply this rule to. For each additional project that you want toapply the rule to, clickAdd value, and then repeat this step.
To apply these changes, clickSet policy. TheOrganization policies page appears.
gcloud
To edit which projects thecompute.sharedReservationsOwnerProjectsconstraint allows to create and modify shared reservations, use one of thefollowing methods:
To grant permission to a single project to create and modify sharedreservations, use the
gcloud resource-manager org-policies allowcommand.You can repeat this command for each project that you want to grantthis permission to.gcloud resource-manager org-policies allow compute.sharedReservationsOwnerProjects projects/PROJECT_NUMBER \ --organization=ORGANIZATION_IDReplace the following:
PROJECT_NUMBER: thenumber of the project.
ORGANIZATION_ID: theID of your organization.
To grant or revoke the permissions to multiple projects to create andmodify shared reservations, replace the organization policy constraint.To do so, complete the following steps:
To download the policy for your organization as a file named
policy.yaml, use thegcloud resource-manager org-policies describecommand:gcloud resource-manager org-policies describe compute.sharedReservationsOwnerProjects \ --organization=ORGANIZATION_ID > policy.yamlOpen the
policy.yamlfile in a text editor of your choice.Modify the
allowedValuesfield to list all projects that cancreate and modify shared reservations.For each project that you want to grant permission to, add theproject number in a new line within the
allowedValuesfield.For each project that you want to revoke the permission tocreate and modify shared reservations, remove the project numberfrom within the
allowedValuesfield.
The
policy.yamlfile looks similar to the following example:...constraint:constraints/compute.sharedReservationsOwnerProjectslistPolicy:allowedValues:-projects/EXAMPLE_PROJECT_NUMBER1-projects/EXAMPLE_PROJECT_NUMBER2-projects/EXAMPLE_PROJECT_NUMBER3......Save the
policy.yamlfile and close the text editor.To update the policy for your organization, use the
gcloud resource-manager org-policies set-policycommand:gcloud resource-manager org-policies set-policy \ --organization=ORGANIZATION_ID policy.yamlOptional: To delete the
policy.yamlfile, do one of the following:If you're using a Linux or macOS terminal, then run thefollowing command:
rm policy.yamlIf you're using a Windows terminal, then run the followingcommand:
del policy.yaml
Changes can take up to 15 minutes to take effect.
What's next
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.