Method: organizations.locations.workloads.restrictAllowedServices

Restrict the list of services allowed in the Workload environment. The current list of allowed services can be found at In addition to assuredworkloads.workload.create permission, the user should also have orgpolicy.policy.set permission on the folder resource to use this functionality.

HTTP request

POST https://{endpoint}/v1beta1/{name=organizations/*/locations/*/workloads/*}:restrictAllowedServices

Where {endpoint} is one of the supported service endpoints.

The URLs use gRPC Transcoding syntax.

Path parameters



Required. The resource name of the Workload. This is the workloads's relative path in the API, formatted as "organizations/{organization_id}/locations/{locationId}/workloads/{workload_id}". For example, "organizations/123/locations/us-east1/workloads/assured-workload-1".

Request body

The request body contains data with the following structure:

JSON representation
  "restrictionType": enum (RestrictionType)

enum (RestrictionType)

Required. The type of restriction for using gcp services in the Workload environment.

Response body

If successful, the response body is empty.

Authorization Scopes

Requires the following OAuth scope:


For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the name resource:

  • assuredworkloads.workload.update

For more information, see the IAM documentation.


The type of restriction.

RESTRICTION_TYPE_UNSPECIFIED Unknown restriction type.
ALLOW_ALL_GCP_SERVICES Allow the use all services. This effectively remove all restrictions placed on the Folder.
ALLOW_COMPLIANT_SERVICES Based on Workload's compliance regime, allowed list changes. See - for the list of allowed services.