Requesters can withdraw their grant requests that are pending approval, or end their active grants when their privileged task is complete or when the access is no longer required.
Withdraw your grants
Console
Go to the Privileged Access Manager page.
Select the organization, folder, or project that you want to withdraw grants from.
Click the Grants tab, followed by the My grants tab. This lists your grants with grant statuses and their associated entitlement details.
In the table, click More options for the grant that you want to withdraw, and click Withdraw.
To confirm, click Withdraw again.
gcloud
The
gcloud alpha pam grants withdraw
command withdraws a grant.
Before using any of the command data below, make the following replacements:
ENTITLEMENT_ID: The ID of the entitlement that the grant belongs to.GRANT_ID: The ID of the grant you want to withdraw. You can retrieve the ID by viewing grants.RESOURCE_TYPE: Optional. The resource type that the entitlement belongs to. Use the valueorganization,folder, orproject.RESOURCE_ID: Used withRESOURCE_TYPE. The ID of the Google Cloud project, folder, or organization that you want to manage entitlements for. Project IDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric, like123456789012.
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud alpha pam grants withdraw \ GRANT_ID \ --entitlement=ENTITLEMENT_ID \ --location=global \ --RESOURCE_TYPE=RESOURCE_ID
Windows (PowerShell)
gcloud alpha pam grants withdraw ` GRANT_ID ` --entitlement=ENTITLEMENT_ID ` --location=global ` --RESOURCE_TYPE=RESOURCE_ID
Windows (cmd.exe)
gcloud alpha pam grants withdraw ^ GRANT_ID ^ --entitlement=ENTITLEMENT_ID ^ --location=global ^ --RESOURCE_TYPE=RESOURCE_ID
You should receive a response similar to the following:
Parsed [grant] resource: RESOURCE_TYPE/RESOURCE_ID/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID Grant withdrawal initiated. The operation will complete in some time. To track its status, run: `gcloud alpha pam operations wait RESOURCE_TYPE/RESOURCE_ID/locations/global/operations/OPERATION_ID` Note that the wait command requires you to have the `privilegedaccessmanager.operations.get` permission on the resource. metadata: apiVersion: v1 createTime: '2024-08-20T10:10:10.101010101Z' target: RESOURCE_TYPE/RESOURCE_ID/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID name: RESOURCE_TYPE/RESOURCE_ID/locations/global/operations/OPERATION_ID
REST
The Privileged Access Manager API's
withdrawGrant
method withdraws a grant.
Before using any of the request data, make the following replacements:
SCOPE: The organization, folder, or project that the entitlement is in, in the format oforganizations/ORGANIZATION_ID,folders/FOLDER_ID, orprojects/PROJECT_ID. Project IDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric, like123456789012.ENTITLEMENT_ID: The ID of the entitlement that the grant belongs to.GRANT_ID: The ID of the grant you want to withdraw. You can retrieve the ID by viewing grants.
HTTP method and URL:
POST https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID:withdraw
Request JSON body:
{
}
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{
"name": "SCOPE/locations/global/operations/OPERATION_ID",
"metadata": {
"@type": "type.googleapis.com/google.cloud.privilegedaccessmanager.v1beta.OperationMetadata",
"createTime": "2024-03-06T23:07:48.716396505Z",
"target": "SCOPE/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID",
"verb": "update",
"requestedCancellation": false,
"apiVersion": "v1beta"
},
"done": false
}