Troubleshoot deny policies

This page explains how to resolve "permission denied" access issues in Identity and Access Management (IAM) if you use deny policies.

To find out why a principal can't access a resource, you would normally use Policy Troubleshooter. However, Policy Troubleshooter doesn't evaluate deny policies. As a result, if a principal is denied access because of a deny policy, Policy Troubleshooter can't tell you why the principal was denied access. To find out whether a deny policy is in effect, contact your organization administrator or deny administrator.

To work around this issue, you can get all of the allow and deny policies for the applicable project, folder, and organization. You can then review the deny policies and determine whether any of them denied access to the principal.

Before you begin

To get the permissions that you need to review deny policies, ask your administrator to grant you the following IAM roles:

  • Deny Reviewer (roles/iam.denyReviewer) on the organization
  • Folder IAM Admin (roles/resourcemanager.folderIamAdmin) on the folders, if any, that contain the project
  • Organization Role Viewer (roles/iam.organizationRoleViewer) on the organization
  • Role Viewer (roles/iam.roleViewer) on the project

For more information about granting roles, see Manage access.

Review the allow and deny policies

To get all of the allow and deny policies for the applicable project, folder, and organization, use the gcloud beta projects get-ancestors-iam-policy command with the --include-deny flag.

gcloud

Before using any of the command data below, make the following replacements:

  • PROJECT_ID: Your Google Cloud project ID. Project IDs are alphanumeric strings, like my-project.

Execute the gcloud beta projects get-ancestors-iam-policy command:

Linux, macOS, or Cloud Shell

gcloud beta projects get-ancestors-iam-policy PROJECT_ID --include-deny --format=json

Windows (PowerShell)

gcloud beta projects get-ancestors-iam-policy PROJECT_ID --include-deny --format=json

Windows (cmd.exe)

gcloud beta projects get-ancestors-iam-policy PROJECT_ID --include-deny --format=json

The response contains the allow and deny policies for the project; any folders that are ancestors of the project; and the organization. The following example shows allow policies for the organization 1234567890123 and the project my-project, as well as a deny policy for the project my-project:

[
  {
    "id": "1234567890123",
    "policy": {
      "bindings": [
        {
          "members": [
            "group:cloud-admins@example.com"
          ],
          "role": "roles/iam.denyAdmin"
        },
        {
          "members": [
            "user:raha@example.com"
          ],
          "role": "roles/iam.serviceAccountAdmin"
        }
      ],
      "etag": "BwXW6Eab7TI=",
      "version": 1
    },
    "type": "organization"
  },
  {
    "id": "my-project",
    "policy": {
      "bindings": [
        {
          "members": [
            "group:cloud-admins@example.com"
          ],
          "role": "roles/owner"
        }
      ],
      "etag": "BwXXjOM7L6M=",
      "type": "project"
    }
  },
  {
    "id": "my-project",
    "policy": {
      "createTime": "2022-02-14T21:46:35.865279Z",
      "displayName": "My deny policy",
      "etag": "MTgyMzg2ODcwNTEyMjMxMTM3Mjg=",
      "kind": "DenyPolicy",
      "name": "policies/cloudresourcemanager.googleapis.com%2Fprojects%2F123456789012/denypolicies/my-deny-policy",
      "rules": [
        {
          "denyRule": {
            "deniedPermissions": [
              "iam.googleapis.com/serviceAccounts.create"
            ],
            "deniedPrincipals": [
              "principal://goog/subject/raha@example.com"
            ]
          },
          "description": "Prevent service account creation"
        }
      ],
      "uid": "c83e3dc3-d8a6-6f51-4018-814e9f200b05",
      "updateTime": "2022-02-14T21:46:35.865279Z"
    },
    "type": "project"
  }
]

In this example, the user raha@example.com is granted the Service Account Admin role (roles/iam.serviceAccountAdmin) on the organization, but the project has a deny policy that prevents raha@example.com from using the permission iam.googleapis.com/serviceAccounts.create. As a result, if raha@example.com tries to create a service account in the project my-project, the request will be denied.