Remove principal access boundary policies

Principal access boundary (PAB) policies let you limit the resources that a set of principals are eligible to access. If you no longer want a principal access boundary policy to be enforced for a principal set, you can delete the policy binding that binds the policy to the principal set. If you want to remove a principal access boundary policy from all principal sets that it's bound to, you can delete the policy.

Removing a principal access boundary policy from a principal set has one of the following effects:

  • If the principals in the principal set aren't subject to any other principal access boundary policies, then they will be eligible to access all Google Cloud resources.
  • If the principals in the principal set are subject to other principal access boundary policies, then they will only be eligible to access the resources in those policies.

Before you begin

  • Set up authentication.

    Select the tab for how you plan to use the samples on this page:

    gcloud

    In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

    At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

    REST

    To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.

      Install the Google Cloud CLI, then initialize it by running the following command:

      gcloud init

    For more information, see Authenticate for using REST in the Google Cloud authentication documentation.

  • Read the overview of principal access boundary policies.

Roles required to delete principal access boundary policies

To get the permission that you need to delete principal access boundary policies, ask your administrator to grant you the Principal Access Boundary Admin (roles/iam.principalAccessBoundaryAdmin) IAM role on your organization. For more information about granting roles, see Manage access to projects, folders, and organizations.

This predefined role contains the iam.principalaccessboundarypolicies.delete permission, which is required to delete principal access boundary policies.

You might also be able to get this permission with custom roles or other predefined roles.

Roles required to delete principal access boundary policy bindings

The permissions that you need in order to delete policy bindings for principal access boundary policies depends on the principal set that's bound to the policy.

To get the permissions that you need to delete policy bindings for principal access boundary policies, ask your administrator to grant you the following IAM roles:

  • Principal Access Boundary User (roles/iam.principalAccessBoundaryUser) on your organization
  • Delete policy bindings for principal access boundary policies bound to workforce identity pools: IAM Workforce Pool Admin (roles/iam.workforcePoolAdmin) on the target workforce identity pool
  • Delete policy bindings for principal access boundary policies bound to workload identity pools: IAM Workload Identity Pool Admin (roles/iam.workloadIdentityPoolAdmin) on the project that owns the target workload identity pool
  • Get the status of a long-running operation for deleting a binding that references a workload identity pool: IAM Operation Viewer (roles/iam.operationViewer) on the project that owns the target workload identity pool
  • Delete policy bindings for principal access boundary policies bound to a Google Workspace domain: Workspace Pool IAM Admin (roles/iam.workspacePoolAdmin) on the organization
  • Delete policy bindings for principal access boundary policies bound to a project's principal set: Project IAM Admin (roles/resourcemanager.projectIamAdmin) on the project
  • Get the status of a long-running operation for deleting a binding that references a project's principal set: IAM Operation Viewer (roles/iam.operationViewer) on the project
  • Delete policy bindings for principal access boundary policies bound to a folder's principal set: Folder IAM Admin (roles/resourcemanager.folderIamAdmin) on the folder
  • Delete policy bindings for principal access boundary policies bound to an organization's principal set: Organization Administrator (roles/resourcemanager.organizationAdmin) on the organization

For more information about granting roles, see Manage access to projects, folders, and organizations.

These predefined roles contain the permissions required to delete policy bindings for principal access boundary policies. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to delete policy bindings for principal access boundary policies:

  • iam.principalaccessboundarypolicies.unbind on the organization
  • Delete policy bindings for principal access boundary policies bound to workforce identity pools: iam.workforcePools.deletePolicyBinding on the target workforce identity pool
  • Delete policy bindings for principal access boundary policies bound to workload identity pools: iam.workloadIdentityPools.deletePolicyBinding on the project that owns the target workload identity pool
  • Get the status of a long-running operation for deleting a binding that references a workload identity pool: iam.operations.get on the project that owns the target workload identity pool
  • Delete policy bindings for principal access boundary policies bound to a Google Workspace domain: iam.workspacePools.deletePolicyBinding on the organization
  • Delete policy bindings for principal access boundary policies bound to a project's principal set: resourcemanager.projects.deletePolicyBinding on the project
  • Get the status of a long-running operation for deleting a binding that references a project's principal set: iam.operations.get on the project
  • Delete policy bindings for principal access boundary policies bound to a folder's principal set: resourcemanager.folders.deletePolicyBinding on the folder
  • Delete policy bindings for principal access boundary policies bound to an organization's principal set: resourcemanager.organizations.deletePolicyBinding on the organization

You might also be able to get these permissions with custom roles or other predefined roles.

Prepare to remove a principal access boundary policy

Before you remove a principal access boundary policy, decide which of the following goals you want to accomplish:

  • Make the principals in a principal set eligible to access all resources
  • Reduce the number of resources that the principals in a principal set are eligible to access

The following sections describe the steps to take to accomplish each of these goals.

Make principals eligible to access all resources

If you want to make the principals in a principal set eligible to access all resources, then do the following:

  1. Identify all principal access boundary policies bound to the principal set.
  2. Remove all principal access boundary policies bound to the principal set by deleting the relevant policy bindings.

If a principal isn't subject to any principal access boundary policies, then the principal is eligible to access all Google Cloud resources.

Being eligible to access a resource doesn't necessarily mean that a user is able to access a resource. For more information, see Policy evaluation.

Reduce the resources that principals are eligible to access

If the principals in a principal set are subject to multiple principal access boundary policies, then you can reduce the number of resources that the principals are eligible to access by removing one or more of the principal access boundary policies that they're subject to. However, don't, at any point, remove all of the principal access boundary policies that the principals are subject to—if you do, then the principals will be eligible to access all Google Cloud resources.

To remove a principal access boundary policy while ensuring that the principals in a principal set are always subject to at least one principal access boundary policy, follow these steps:

  1. Identify all principal access boundary policies bound to the principal set.
  2. Identify the principal access boundary policies that contain only resources that you want principals in the principal set to be eligible to access. These are the policies that you won't remove from the principal set.

    If you don't have any such policies, then create a new principal access boundary policy with only resources that you want the principals to be eligible to access. Then, attach the policy to the principal set.

  3. Identify the principal access boundary policies that contain resources that you don't want principals in the principal set to be eligible to access. Then, remove those principal access boundary policies by deleting the relevant policy binding.

    If you want to reduce access for specific principals, then add a condition to the policy binding instead of deleting it.

If you want to reduce the number of resources that a principal is eligible to access but don't want to remove any principal access boundary policies, you can instead modify the principal access boundary policies that the principal is subject to. To learn how to modify principal access boundary policies, see Edit principal access boundary policies.

Remove a principal access boundary policy from a principal set

Before you remove a principal access boundary policy from a principal set, first prepare for the removal of the policy. Then, remove the policy by deleting the policy binding that binds the policy to the principal set.

You can delete a policy binding using the Google Cloud console, the gcloud CLI, or the IAM REST API.

Console

  1. In the Google Cloud console, go to the Principal Access Boundary policies page.

    Go to Principal Access Boundary policies

  2. Select the organization that owns the principal access boundary policy whose binding you want to delete.

  3. Click the policy ID of the principal access boundary policy whose bindings you want to delete.

  4. Click the Bindings tab.

  5. Find the ID of the binding that you want to delete. In that binding's row, click Actions, then click Delete binding.

  6. In the confirmation dialog, click Delete.

gcloud

The gcloud beta iam policy-bindings delete command deletes a policy binding.

Before using any of the command data below, make the following replacements:

  • BINDING_ID: The ID of the policy binding that you want to delete—for example, example-binding.
  • RESOURCE_TYPE: The type of the Resource Manager resource (project, folder, or organization) that the policy binding is a child of. Use the value project, folder, or organization

    The resource type depends on the principal set in the policy binding. To see which resource type to use, see Supported principal types.

  • RESOURCE_ID: The ID of the project, folder, or organization that the policy binding is a child of. Project IDs are alphanumeric strings, like my-project. Folder and organization IDs are numeric, like 123456789012.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud beta iam policy-bindings delete BINDING_ID \
    --RESOURCE_TYPE=RESOURCE_ID --location=global

Windows (PowerShell)

gcloud beta iam policy-bindings delete BINDING_ID `
    --RESOURCE_TYPE=RESOURCE_ID --location=global

Windows (cmd.exe)

gcloud beta iam policy-bindings delete BINDING_ID ^
    --RESOURCE_TYPE=RESOURCE_ID --location=global

The response contains a long-running operation representing your request. To learn how to get the status of a long-running operation, see Check the status of a long-running operation on this page.

Delete request issued for: [example-binding]
Waiting for operation [organizations/123456789012/locations/global/operations/operation-1715374724030-6181fcd1520c5-d21b0a12-b704e1ce] to complete...done.
Deleted policyBinding [example-binding].

REST

The policyBindings.delete method deletes a policy binding.

Before using any of the request data, make the following replacements:

  • RESOURCE_TYPE: The type of the Resource Manager resource (project, folder, or organization) that the policy binding is a child of. Use the value projects, folders, or organizations

    The resource type depends on the principal set in the policy binding. To see which resource type to use, see Supported principal types.

  • RESOURCE_ID: The ID of the project, folder, or organization that the policy binding is a child of. Project IDs are alphanumeric strings, like my-project. Folder and organization IDs are numeric, like 123456789012.
  • BINDING_ID: The ID of the policy binding that you want to delete—for example, example-binding.

HTTP method and URL:

DELETE https://iam.googleapis.com/v3beta/RESOURCE_TYPE/RESOURCE_ID/locations/global/policyBindings/BINDING_ID

To send your request, expand one of these options:

The response contains a long-running operation representing your request. To learn how to get the status of a long-running operation, see Check the status of a long-running operation on this page.

{
  "name": "organizations/123456789012/locations/global/operations/operation-1715373190994-6181f71b4daad-6d8168c1-13cc6600",
  "metadata": {
    "@type": "type.googleapis.com/google.iam.v3beta.OperationMetadata",
    "createTime": "2024-05-10T20:33:11.165728913Z",
    "target": "organizations/123456789012/locations/global/policyBindings/example-binding",
    "verb": "delete",
    "requestedCancellation": false,
    "apiVersion": "v3beta"
  },
  "done": false
}

Delete a principal access boundary policy

Before you delete a principal access boundary policy, we recommend that you identify and delete all principal access boundary policy bindings that reference the principal access boundary policy.

If you delete a principal access boundary policy with existing policy bindings, then those bindings will eventually be deleted. However, until they are deleted, the policy bindings still count against the limit of 10 bindings that can refer to a single principal set.

You can delete a principal access boundary policy using the Google Cloud console, the gcloud CLI, or the IAM REST API.

Console

  1. In the Google Cloud console, go to the Principal Access Boundary policies page.

    Go to Principal Access Boundary policies

  2. Select the organization that owns the principal access boundary policy whose binding you want to delete.

  3. Find the ID of the policy that you want to delete. In that policy's row, click Actions, then click Delete policy.

  4. In the confirmation dialog, confirm that you want to delete the policy:

    • To delete the policy only if the policy doesn't have any bindings associated with it, click Delete.
    • To delete the policy and all associated bindings, select the Forcefully delete policy checkbox, then click Delete.

gcloud

The gcloud iam gcloud beta iam principal-access-boundary-policies delete command deletes a principal access boundary policy and all associated bindings.

Before using any of the command data below, make the following replacements:

  • PAB_POLICY_ID: The ID of the principal access boundary policy that you want to delete—for example, example-policy.
  • ORG_ID: The ID of the organization that owns the principal access boundary policy. Organization IDs are numeric, like 123456789012.
  • FORCE_FLAG: Optional. To force the command to delete a policy, even if that policy is referenced in existing policy bindings, use the flag --force. If this flag is not set and the policy is referenced in existing policy bindings, then the command fails.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud beta iam principal-access-boundary-policies delete PAB_POLICY_ID \
    --organization=ORG_ID --location=global FORCE_FLAG

Windows (PowerShell)

gcloud beta iam principal-access-boundary-policies delete PAB_POLICY_ID `
    --organization=ORG_ID --location=global FORCE_FLAG

Windows (cmd.exe)

gcloud beta iam principal-access-boundary-policies delete PAB_POLICY_ID ^
    --organization=ORG_ID --location=global FORCE_FLAG

The response contains a long-running operation representing your request. To learn how to get the status of a long-running operation, see Check the status of a long-running operation on this page.

Delete request issued for: [example-policy]
Waiting for operation [organizations/123456789012/locations/global/operations/operation-1715374811191-6181fd2471ab4-f0947406-85778c43] to complete...
Waiting for operation [organizations/123456789012/locations/global/operations/operation-1715374811191-6181fd2471ab4-f0947406-85778c43] to complete...done.
Deleted principalAccessBoundaryPolicy [example-policy].

REST

The principalAccessBoundaryPolicies.delete method deletes a principal access boundary policy and all associated bindings.

Before using any of the request data, make the following replacements:

  • ORG_ID: The ID of the organization that owns the principal access boundary policy. Organization IDs are numeric, like 123456789012.
  • PAB_POLICY_ID: The ID of the principal access boundary policy that you want to delete—for example, example-policy.
  • FORCE_DELETE: Optional. To force the request to delete the policy, even if the policy is referenced in existing policy bindings, add the query parameter force=true. If this query parameter is not set and the policy is referenced in existing policy bindings, then the request fails.

HTTP method and URL:

DELETE https://iam.googleapis.com/v3beta/organizations/ORG_ID/locations/global/principalAccessBoundaryPolicies/PAB_POLICY_ID?FORCE_DELETE

To send your request, expand one of these options:

The response contains a long-running operation representing your request. To learn how to get the status of a long-running operation, see Check the status of a long-running operation on this page.

{
  "name": "organizations/123456789012/locations/global/operations/operation-1715373190994-6181f71b4daad-6d8168c1-13cc6600",
  "metadata": {
    "@type": "type.googleapis.com/google.iam.v3beta.OperationMetadata",
    "createTime": "2024-05-10T20:33:11.165728913Z",
    "target": "organizations/123456789012/locations/global/policyBindings/example-policy",
    "verb": "delete",
    "requestedCancellation": false,
    "apiVersion": "v3beta"
  },
  "done": false
}

Check the status of a long-running operation

When you use the REST API or the client libraries, any method that changes a principal access boundary policy or binding returns a long-running operation (LRO). The long-running operation tracks the status of the request and indicates whether the change to the policy or binding is complete.

REST

The operations.get method returns the status of a long-running operation.

Before using any of the request data, make the following replacements:

  • OPERATION_NAME: The full name of the operation. You receive this name in the response to your original request.

    The operation name has the following format:

          RESOURCE_TYPE/RESOURCE_ID/locations/global/operations/OPERATION_ID
        

HTTP method and URL:

GET https://iam.googleapis.com/v3beta/OPERATION_NAME

To send your request, expand one of these options:

You should receive a JSON response similar to the following:

{
  "name": "organizations/314340013352/locations/global/operations/operation-1732752311821-627edd607a3df-9a62cdea-2a7d9f07",
  "metadata": {
    "@type": "type.googleapis.com/google.iam.v3beta.OperationMetadata",
    "createTime": "2024-11-28T00:05:12.006289686Z",
    "endTime": "2024-11-28T00:05:12.192141801Z",
    "target": "organizations/314340013352/locations/global/principalAccessBoundaryPolicies/example-policy",
    "verb": "create",
    "requestedCancellation": false,
    "apiVersion": "v3beta"
  },
  "done": true,
  "response": {
    PAB_POLICY
  }
}

If the operation's done field is not present, continue to monitor its status by getting the operation repeatedly. Use truncated exponential backoff to introduce a delay between each request. When the done field is set to true, the operation is complete, and you can stop getting the operation.

What's next