This page explains how to deny principals access by preventing them from using specific Identity and Access Management (IAM) permissions.
In IAM, you deny access with deny policies. Each deny policy is attached to a Google Cloud organization, folder, or project. A deny policy contains deny rules, which identify principals and list the permissions that the principals cannot use.
Deny policies are separate from allow policies, also known as IAM policies. An allow policy provides access to resources by granting IAM roles to principals.
You can manage deny policies with the Google Cloud console, Google Cloud CLI,
or the IAM v2
REST API.
Before you begin
Enable the IAM API.
Set up authentication.
Select the tab for how you plan to use the samples on this page:
Console
When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.
gcloud
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
Terraform
To use the Terraform samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
If you're using a local shell, then create local authentication credentials for your user account:
gcloud auth application-default login
You don't need to do this if you're using Cloud Shell.
For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.
Go
To use the Go samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
If you're using a local shell, then create local authentication credentials for your user account:
gcloud auth application-default login
You don't need to do this if you're using Cloud Shell.
For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.
Java
To use the Java samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
If you're using a local shell, then create local authentication credentials for your user account:
gcloud auth application-default login
You don't need to do this if you're using Cloud Shell.
For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.
Node.js
To use the Node.js samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
If you're using a local shell, then create local authentication credentials for your user account:
gcloud auth application-default login
You don't need to do this if you're using Cloud Shell.
For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.
Python
To use the Python samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
If you're using a local shell, then create local authentication credentials for your user account:
gcloud auth application-default login
You don't need to do this if you're using Cloud Shell.
For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.
REST
To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.
Install the Google Cloud CLI, then initialize it by running the following command:
gcloud init
For more information, see Authenticate for using REST in the Google Cloud authentication documentation.
Read the overview of deny policies.
Required roles
To get the permissions that you need to manage deny policies, ask your administrator to grant you the following IAM roles on the organization:
-
To view deny policies:
Deny Reviewer (
roles/iam.denyReviewer
) -
To view, create, update, and delete deny policies:
Deny Admin (
roles/iam.denyAdmin
)
For more information about granting roles, see Manage access to projects, folders, and organizations.
These predefined roles contain the permissions required to manage deny policies. To see the exact permissions that are required, expand the Required permissions section:
Required permissions
The following permissions are required to manage deny policies:
-
To view deny policies:
-
iam.denypolicies.get
-
iam.denypolicies.list
-
-
To create, update, and delete deny policies:
-
iam.denypolicies.create
-
iam.denypolicies.delete
-
iam.denypolicies.get
-
iam.denypolicies.update
-
You might also be able to get these permissions with custom roles or other predefined roles.
Identify permissions to deny
Before you create a deny policy, you must decide which permissions you want to deny, and which principals should be denied these permissions.
Only some permissions can be denied. For a list of permissions that you can deny, see Permissions supported in deny policies.
In some cases, you can also use permission groups to deny sets of permissions. For more information, see Permission groups.
You manage deny policies with the v2
REST API, which requires a special format
for permission names. For example, the permission to create an
IAM custom role is named as follows:
v1
API:iam.roles.create
v2
API:iam.googleapis.com/roles.create
Create a deny policy
You can add deny policies to organizations, folders, and projects. Each resource can have up to 500 deny policies.
Deny policies contain deny rules, which specify the following:
- The permissions to deny.
- The principals that are denied those permissions.
Optional: Principals that are exempt from the denial of permissions.
For example, you can deny a permission to a group, but exempt specific users who belong to that group.
Optional: A condition expression that specifies when the principals cannot use the permissions. In deny policies, condition expressions can only use functions for resource tags—other functions and operators are not supported.
Each resource can have up to 500 deny rules across all of its attached deny policies.
Deny policies are inherited through the resource hierarchy. For example, if you deny a permission at the organization level, that permission will also be denied on the folders and projects within that organization, and on the service-specific resources within each project.
Deny policies override allow policies. If a principal is granted a role that contains a specific permission, but a deny policy says that the principal cannot use that permission, then the principal cannot use the permission.
Console
In the Google Cloud console, go to the Deny tab on the IAM page.
Select a project, folder, or organization.
Click
Create deny policy.In the Policy name section, define the policy ID by doing one of the following:
- In the Display name field, enter a display name for the policy. Filling out this field automatically fills out the ID field. If you want to change the ID of the policy, update the text in the ID field.
- In the ID field, enter an ID for the policy.
In the Deny rules section, define the policy's deny rules. Each deny policy must have at least one deny rule. To add additional deny rules, click Add deny rule.
For each deny rule, do the following:
- In the Denied principals field, add one or more principals that you
want to prevent from using the specified permissions. The principal can
be any of the principal types in the list of IAM
v2
principal identifiers, except the principals whose IDs begin withdeleted:
. - Optional: In the Exception principals field, add the principals that you want to be able to use the specified permissions, even if those principals are included in Denied principals section. For example, you can use this field to make an exception for specific users who belong to a denied group.
In the Denied permissions sections, add the permissions that you want to deny. The permissions must be supported in deny policies.
In some cases, you can also use permission groups to deny sets of permissions. For more information, see Permission groups.
Optional: Add exception permissions. Exception permissions are permissions that you don't want this deny rule to deny, even if they're included in the list of denied permissions. For example, you can use this field to make exceptions for specific permissions in a permission group.
To add exception permissions, click Exception permissions, click
Add another permission, and then enter the permission in the Permission 1 field. Continue adding permissions until you've added all permissions that you want to exempt from the deny policy.Optional: Add a denial condition to specify when the principals can't use the permission. To add a denial condition, click
Add denial condition, and then define the following fields:- Title: Optional. A brief summary of the purpose of the condition.
- Description: Optional. A longer description of the condition.
Condition expression: You can add a condition expression using the Condition builder or Condition editor. The condition builder provides an interactive interface to select your desired condition type, operator, and other applicable details about the expression. The condition editor provides a text-based interface to manually enter an expression using Common Expression Language (CEL) syntax.
Denial conditions must be based on resource tags. Other functions and operators aren't supported.
- In the Denied principals field, add one or more principals that you
want to prevent from using the specified permissions. The principal can
be any of the principal types in the list of IAM
Click Create.
gcloud
To create a deny policy for a resource, start by creating a JSON file that contains the policy. A deny policy uses the following format:
{ "displayName": "POLICY_NAME", "rules": [ { "denyRule": DENY_RULE_1 }, { "denyRule": DENY_RULE_2 }, { "denyRule": DENY_RULE_N } ] }
Provide the following values:
POLICY_NAME
: The display name for the deny policy.-
DENY_RULE_1
,DENY_RULE_2
,...DENY_RULE_N
: The deny rules in the policy. Each deny rule can contain these fields:-
deniedPermissions
: A list of permissions that the specified principals cannot use. The permissions must be supported in deny policies.In some cases, you can also use permission groups to deny sets of permissions. For more information, see Permission groups.
-
exceptionPermissions
: A list of permissions that the specified principals can use, even if those permissions are included indeniedPermissions
. For example, you can use this field to make exceptions for specific permissions in a group of permissions. -
deniedPrincipals
: A list of principals that cannot use the specified permissions. Use thev2
API format for principal identifiers. -
exceptionPrincipals
: Optional. A list of principals that can use the specified permissions, even if those principals are included indeniedPrincipals
. For example, you can use this field to make an exception for specific users who belong to a denied group. Use thev2
API format for principal identifiers. -
denialCondition
: Optional. A condition expression that specifies when the principals cannot use the permissions. Contains the following fields:-
expression
: A condition expression that uses Common Expression Language (CEL) syntax. The expression must use the CEL functions for evaluating resource tags. Other functions and operators are not supported. -
title
: Optional. A brief summary of the purpose of the condition. -
description
: Optional. A longer description of the condition.
-
For examples of deny rules, see Common use cases.
-
For example, the following deny policy contains one deny rule, which denies one permission to Lucian:
{
"displayName": "My deny policy.",
"rules": [
{
"denyRule": {
"deniedPrincipals": [
"principal://goog/subject/lucian@example.com"
],
"deniedPermissions": [
"iam.googleapis.com/roles.create"
]
}
}
]
}
Next, run the gcloud iam policies create
command:
gcloud iam policies create POLICY_ID \ --attachment-point=ATTACHMENT_POINT \ --kind=denypolicies \ --policy-file=POLICY_FILE
Provide the following values:
-
POLICY_ID
: The identifier for the deny policy. -
ATTACHMENT_POINT
: An identifier for the resource that the deny policy is attached to. To learn how to format this value, see Attachment point. -
POLICY_FILE
: The filepath for the JSON file that contains the deny policy.
By default, if this command succeeds, it does not print any output. To print a
detailed response, add the flag --format=json
to the command.
For example, the following command creates a deny policy named my-deny-policy
for the project my-project
, using a file named policy.json
:
gcloud iam policies create my-deny-policy \
--attachment-point=cloudresourcemanager.googleapis.com/projects/my-project \
--kind=denypolicies \
--policy-file=policy.json
Terraform
To learn how to apply or remove a Terraform configuration, see Basic Terraform commands. For more information, see the Terraform provider reference documentation.
Go
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
Java
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
Node.js
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Node.js API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
Python
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
REST
The
policies.createPolicy
method creates a deny policy for a resource.
Before using any of the request data, make the following replacements:
-
ENCODED_ATTACHMENT_POINT
: A URL-encoded identifier for the resource that the deny policy is attached to. To learn how to format this value, see Attachment point. POLICY_ID
: An identifier for the deny policy.POLICY_NAME
: The display name for the deny policy.-
DENY_RULE_1
,DENY_RULE_2
,...DENY_RULE_N
: The deny rules in the policy. Each deny rule can contain these fields:-
deniedPermissions
: A list of permissions that the specified principals cannot use. The permissions must be supported in deny policies.In some cases, you can also use permission groups to deny sets of permissions. For more information, see Permission groups.
-
exceptionPermissions
: A list of permissions that the specified principals can use, even if those permissions are included indeniedPermissions
. For example, you can use this field to make exceptions for specific permissions in a group of permissions. -
deniedPrincipals
: A list of principals that cannot use the specified permissions. Use thev2
API format for principal identifiers. -
exceptionPrincipals
: Optional. A list of principals that can use the specified permissions, even if those principals are included indeniedPrincipals
. For example, you can use this field to make an exception for specific users who belong to a denied group. Use thev2
API format for principal identifiers. -
denialCondition
: Optional. A condition expression that specifies when the principals cannot use the permissions. Contains the following fields:-
expression
: A condition expression that uses Common Expression Language (CEL) syntax. The expression must use the CEL functions for evaluating resource tags. Other functions and operators are not supported. -
title
: Optional. A brief summary of the purpose of the condition. -
description
: Optional. A longer description of the condition.
-
For examples of deny rules, see Common use cases.
-
HTTP method and URL:
POST https://iam.googleapis.com/v2/policies/ENCODED_ATTACHMENT_POINT/denypolicies?policyId=POLICY_ID
Request JSON body:
{ "displayName": "POLICY_NAME", "rules": [ { "denyRule": DENY_RULE_1 }, { "denyRule": DENY_RULE_2 }, { "denyRule": DENY_RULE_N } ] }
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{ "name": "policies/cloudresourcemanager.googleapis.com%2Fprojects%2F1234567890123/denypolicies/my-policy/operations/89cb3e508bf1ff01", "metadata": { "@type": "type.googleapis.com/google.iam.v2.PolicyOperationMetadata", "createTime": "2022-06-28T19:06:12.455151Z" }, "response": { "@type": "type.googleapis.com/google.iam.v2.Policy", "name": "policies/cloudresourcemanager.googleapis.com%2Fprojects%2F1234567890123/denypolicies/my-policy", "uid": "6665c437-a3b2-a018-6934-54dd16d3426e", "kind": "DenyPolicy", "displayName": "My deny policy.", "etag": "MTc3NDU4MjM4OTY0MzU5MjQ5OTI=", "createTime": "2022-06-28T19:06:12.455151Z", "updateTime": "2022-06-28T22:26:21.968687Z" "rules": [ { "denyRule": { "deniedPrincipals": [ "principal://goog/subject/lucian@example.com" ], "deniedPermissions": [ "iam.googleapis.com/roles.create" ] } } ] } }
The response identifies a long-running operation. You can monitor the status of the long-running operation to find out when it's complete. For details, see Check the status of a long-running operation on this page.
List deny policies
A resource can have multiple deny policies. You can list all of the deny policies that are attached to a resource, and then view each deny policy to see the deny rules in each policy.
Console
In the Google Cloud console, go to the Deny tab on the IAM page.
Select a project, folder, or organization.
The Google Cloud console lists all deny policies that apply to that project, folder, or organization. This includes deny policies that have been inherited from other resources. For more information about deny policy inheritance, see Deny policy inheritance.
gcloud
To list the deny policies for a resource, run the
gcloud iam policies list
command:
gcloud iam policies list \ --attachment-point=ATTACHMENT_POINT \ --kind=denypolicies \ --format=json
Provide the following value:
-
ATTACHMENT_POINT
: An identifier for the resource that the deny policy is attached to. To learn how to format this value, see Attachment point.
For example, the following command lists deny policies attached to an
organization whose numeric ID is 123456789012
:
gcloud iam policies list \
--attachment-point=cloudresourcemanager.googleapis.com/organizations/123456789012 \
--kind=denypolicies \
--format=json
Go
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
Java
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
Node.js
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Node.js API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
Python
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
REST
The
policies.listPolicies
method lists the deny policies for a resource.
Before using any of the request data, make the following replacements:
-
ENCODED_ATTACHMENT_POINT
: A URL-encoded identifier for the resource that the deny policy is attached to. To learn how to format this value, see Attachment point.
HTTP method and URL:
GET https://iam.googleapis.com/v2/policies/ENCODED_ATTACHMENT_POINT/denypolicies
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{ "policies": [ { "name": "policies/cloudresourcemanager.googleapis.com%2Fprojects%2F1067607927478/denypolicies/test-policy", "uid": "6665c437-a3b2-a018-6934-54dd16d3426e", "kind": "DenyPolicy", "displayName": "My deny policy.", "createTime": "2022-06-28T19:06:12.455151Z", "updateTime": "2022-06-28T22:26:21.968687Z" }, { "name": "policies/cloudresourcemanager.googleapis.com%2Fprojects%2F1067607927478/denypolicies/test-policy-2", "uid": "8465d710-ea20-0a08-d92c-b2a3ebf766ab", "kind": "DenyPolicy", "displayName": "My second deny policy.", "createTime": "2022-06-05T19:21:53.595455Z", "updateTime": "2022-06-05T19:21:53.595455Z" }, { "name": "policies/cloudresourcemanager.googleapis.com%2Fprojects%2F1067607927478/denypolicies/test-policy-3", "uid": "ee9f7c2f-7e8c-b05c-d4e5-e03bfb2954e0", "kind": "DenyPolicy", "displayName": "My third deny policy.", "createTime": "2022-06-05T19:22:26.770543Z", "updateTime": "2022-06-05T19:22:26.770543Z" } ] }
View a deny policy
You can view a deny policy to see the deny rules that it contains, including the permissions that are denied and the principals who cannot use those permissions.
Console
In the Google Cloud console, go to the Deny tab on the IAM page.
Select a project, folder, or organization.
In the Policy ID column, click the ID of the policy that you want to view.
The Google Cloud console shows the details of the deny policy, including the policy ID, when the policy was created, and the deny rules in the deny policy.
gcloud
To get the deny policy for a resource, run the
gcloud iam policies get
command:
gcloud iam policies get POLICY_ID \ --attachment-point=ATTACHMENT_POINT \ --kind=denypolicies \ --format=json
Provide the following values:
-
POLICY_ID
: The identifier for the deny policy. -
ATTACHMENT_POINT
: An identifier for the resource that the deny policy is attached to. To learn how to format this value, see Attachment point.
For example, the following command gets the deny policy named my-deny-policy
for the project my-project
and saves it in a file named policy.json
:
gcloud iam policies get my-deny-policy \
--attachment-point=cloudresourcemanager.googleapis.com/projects/my-project \
--kind=denypolicies \
--format=json \
> ./policy.json
Go
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
Java
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
Node.js
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Node.js API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
Python
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
REST
The
policies.get
method gets a deny policy for a resource.
Before using any of the request data, make the following replacements:
-
ENCODED_ATTACHMENT_POINT
: A URL-encoded identifier for the resource that the deny policy is attached to. To learn how to format this value, see Attachment point. POLICY_ID
: An identifier for the deny policy.
HTTP method and URL:
GET https://iam.googleapis.com/v2/policies/ENCODED_ATTACHMENT_POINT/denypolicies/POLICY_ID
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{ "name": "policies/cloudresourcemanager.googleapis.com%2Fprojects%2F1234567890123/denypolicies/my-policy", "uid": "6665c437-a3b2-a018-6934-54dd16d3426e", "kind": "DenyPolicy", "displayName": "My deny policy.", "etag": "MTc3NDU4MjM4OTY0MzU5MjQ5OTI=", "createTime": "2022-06-05T19:22:26.770543Z", "updateTime": "2022-06-05T19:22:26.770543Z", "rules": [ { "denyRule": { "deniedPrincipals": [ "principal://goog/subject/lucian@example.com" ], "deniedPermissions": [ "iam.googleapis.com/roles.create" ] } } ] }
Update a deny policy
After you create a deny policy, you can update the deny rules that it contains, as well as its display name.
You can update a deny policy using the Google Cloud console, or using one of the following programmatic methods:
- The gcloud CLI
- The REST API
- The IAM client libraries
Update a deny policy using the Google Cloud console
In the Google Cloud console, go to the Deny tab on the IAM page.
Select a project, folder, or organization.
In the Policy ID column, click the ID of the policy that you want to edit.
Click
Edit.Update the deny policy:
- To change the policy display name, edit the Display name field.
- To edit an existing deny rule, click the deny rule, and then modify the rule's principals, exception principals, denied permissions, exception permissions, or denial condition.
- To remove a deny rule, find the deny rule that you want to delete, and then click Delete in that row.
- To add a deny rule, click Add deny rule, and then create a deny rule like you do when you create a deny policy.
When you're done updating the deny policy, click Save.
Update a deny policy programmatically
To update a deny policy using the gcloud CLI, the REST API, or the IAM client libraries, use the read-modify-write pattern:
- Read the current version of the policy.
- Modify the information in the policy as needed.
- Write the updated policy.
Read the deny policy
gcloud
To get the deny policy for a resource, run the
gcloud iam policies get
command:
gcloud iam policies get POLICY_ID \ --attachment-point=ATTACHMENT_POINT \ --kind=denypolicies \ --format=json
Provide the following values:
-
POLICY_ID
: The identifier for the deny policy. -
ATTACHMENT_POINT
: An identifier for the resource that the deny policy is attached to. To learn how to format this value, see Attachment point.
For example, the following command gets the deny policy named my-deny-policy
for the project my-project
and saves it in a file named policy.json
:
gcloud iam policies get my-deny-policy \
--attachment-point=cloudresourcemanager.googleapis.com/projects/my-project \
--kind=denypolicies \
--format=json \
> ./policy.json
Go
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
Java
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
Node.js
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Node.js API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
Python
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
REST
The
policies.get
method gets a deny policy for a resource.
Before using any of the request data, make the following replacements:
-
ENCODED_ATTACHMENT_POINT
: A URL-encoded identifier for the resource that the deny policy is attached to. To learn how to format this value, see Attachment point. POLICY_ID
: An identifier for the deny policy.
HTTP method and URL:
GET https://iam.googleapis.com/v2/policies/ENCODED_ATTACHMENT_POINT/denypolicies/POLICY_ID
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{ "name": "policies/cloudresourcemanager.googleapis.com%2Fprojects%2F1234567890123/denypolicies/my-policy", "uid": "6665c437-a3b2-a018-6934-54dd16d3426e", "kind": "DenyPolicy", "displayName": "My deny policy.", "etag": "MTc3NDU4MjM4OTY0MzU5MjQ5OTI=", "createTime": "2022-06-05T19:22:26.770543Z", "updateTime": "2022-06-05T19:22:26.770543Z", "rules": [ { "denyRule": { "deniedPrincipals": [ "principal://goog/subject/lucian@example.com" ], "deniedPermissions": [ "iam.googleapis.com/roles.create" ] } } ] }
Modify the deny policy
To modify the deny policy, you make changes to the copy of the policy that you previously read from IAM. You can update the display name, or you can add, change, or remove deny rules. The changes don't take effect until you write the updated policy.
For example, you could add a permission to an existing deny rule:
{ "name": "policies/cloudresourcemanager.googleapis.com%2Fprojects%2F1234567890123/denypolicies/my-policy", "uid": "6665c437-a3b2-a018-6934-54dd16d3426e", "kind": "DenyPolicy", "displayName": "My deny policy.", "etag": "MTc3NDU4MjM4OTY0MzU5MjQ5OTI=", "createTime": "2021-10-05T19:22:26.770543Z", "updateTime": "2021-10-05T19:22:26.770543Z", "rules": [ { "denyRule": { "deniedPrincipals": [ "principal://goog/subject/lucian@example.com" ], "deniedPermissions": [ "iam.googleapis.com/roles.create", "iam.googleapis.com/roles.delete" ] } } ] }
Write the updated deny policy
After you modify the deny policy locally, you must write the updated deny policy to IAM.
Each deny policy contains an etag
field that identifies the policy version.
The etag
changes each time you update the policy. When you write the updated
policy, the etag
in your request must match the current etag
stored in
IAM; if the values do not match, the request fails. This feature
helps prevent concurrent changes from overwriting each other.
gcloud
To update the deny policy for a resource, run the
gcloud iam policies update
command:
gcloud iam policies update POLICY_ID \ --attachment-point=ATTACHMENT_POINT \ --kind=denypolicies \ --policy-file=POLICY_FILE
Provide the following values:
-
POLICY_ID
: The identifier for the deny policy. -
ATTACHMENT_POINT
: An identifier for the resource that the deny policy is attached to. To learn how to format this value, see Attachment point. -
POLICY_FILE
: The filepath for the JSON file that contains the deny policy.
By default, if this command succeeds, it does not print any output. To print a
detailed response, add the flag --format=json
to the command.
For example, the following command updates a deny policy named my-deny-policy
for the project my-project
, using a file named policy.json
:
gcloud iam policies update my-deny-policy \
--attachment-point=cloudresourcemanager.googleapis.com/projects/my-project \
--kind=denypolicies \
--policy-file=policy.json
Go
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
Java
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
Node.js
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Node.js API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
Python
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
REST
The
policies.update
method updates a deny policy.
Before using any of the request data, make the following replacements:
-
ENCODED_ATTACHMENT_POINT
: A URL-encoded identifier for the resource that the deny policy is attached to. To learn how to format this value, see Attachment point. POLICY_ID
: An identifier for the deny policy.-
POLICY
: The updated deny policy.For example, to add a permission to the policy shown in the previous step, replace
POLICY
with the following:{ "name": "policies/cloudresourcemanager.googleapis.com%2Fprojects%2F1234567890123/denypolicies/my-policy", "uid": "6665c437-a3b2-a018-6934-54dd16d3426e", "kind": "DenyPolicy", "displayName": "My deny policy.", "etag": "MTc3NDU4MjM4OTY0MzU5MjQ5OTI=", "createTime": "2022-06-05T19:22:26.770543Z", "updateTime": "2022-06-05T19:22:26.770543Z", "rules": [ { "denyRule": { "deniedPrincipals": [ "principal://goog/subject/lucian@example.com" ], "deniedPermissions": [ "iam.googleapis.com/roles.create", "iam.googleapis.com/roles.delete" ] } } ] }
HTTP method and URL:
PUT https://iam.googleapis.com/v2/policies/ENCODED_ATTACHMENT_POINT/denypolicies/POLICY_ID
Request JSON body:
POLICY
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{ "name": "policies/cloudresourcemanager.googleapis.com%2Fprojects%2F1234567890123/denypolicies/my-policy/operations/8b2d0ab2daf1ff01", "metadata": { "@type": "type.googleapis.com/google.iam.v2.PolicyOperationMetadata", "createTime": "2021-10-05T22:26:21.968687Z" }, "response": { "@type": "type.googleapis.com/google.iam.v2.Policy", "name": "policies/cloudresourcemanager.googleapis.com%2Fprojects%2F1234567890123/denypolicies/my-policy", "uid": "6665c437-a3b2-a018-6934-54dd16d3426e", "kind": "DenyPolicy", "displayName": "My deny policy.", "etag": "MTgxNTIxNDE3NTYxNjQxODYxMTI=", "createTime": "2022-06-05T19:22:26.770543Z", "updateTime": "2022-06-05T22:26:21.968687Z", "rules": [ { "denyRule": { "deniedPrincipals": [ "principal://goog/subject/lucian@example.com" ], "deniedPermissions": [ "iam.googleapis.com/roles.create", "iam.googleapis.com/roles.delete" ] } } ] } }
The response identifies a long-running operation. You can monitor the status of the long-running operation to find out when it's complete. For details, see Check the status of a long-running operation on this page.
Delete a deny policy
If you no longer want to enforce the rules in a deny policy, you can delete the deny policy.
Optionally, you can specify the etag
for the policy version that you are
deleting. If you specify the etag
, it must match the current etag
stored by
IAM; if the values do not match, the request fails. You can use
this feature to ensure that you are deleting the intended policy, rather than an
updated version of that policy.
If you omit the etag
from the request, IAM deletes the policy
unconditionally.
Console
In the Google Cloud console, go to the Deny tab on the IAM page.
Select a project, folder, or organization.
In the Policy ID column, click the ID of the policy that you want to delete.
Click
Delete. In the confirmation dialog, click Confirm.
gcloud
To delete a deny policy from a resource, run the
gcloud iam policies delete
command:
gcloud iam policies delete POLICY_ID \ --attachment-point=ATTACHMENT_POINT \ --kind=denypolicies
Provide the following values:
-
POLICY_ID
: The identifier for the deny policy. -
ATTACHMENT_POINT
: An identifier for the resource that the deny policy is attached to. To learn how to format this value, see Attachment point.
Optionally, you can add the flag --etag=ETAG
. Replace
ETAG
with the current etag
value for the deny policy.
By default, if this command succeeds, it does not print any output. To print a
detailed response, add the flag --format=json
to the command.
For example, the following command deletes a deny policy named my-deny-policy
from the project my-project
:
gcloud iam policies delete my-deny-policy \
--attachment-point=cloudresourcemanager.googleapis.com/projects/my-project \
--kind=denypolicies
Go
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
Java
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
Node.js
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Node.js API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
Python
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
REST
The
policies.delete
method deletes a deny policy from a resource.
Before using any of the request data, make the following replacements:
-
ENCODED_ATTACHMENT_POINT
: A URL-encoded identifier for the resource that the deny policy is attached to. To learn how to format this value, see Attachment point. POLICY_ID
: An identifier for the deny policy.-
ETAG
: Optional. An identifier for the version of the policy. If present, this value must match the currentetag
value for the policy.
HTTP method and URL:
DELETE https://iam.googleapis.com/v2/policies/ENCODED_ATTACHMENT_POINT/denypolicies/POLICY_ID?etag=ETAG
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{ "name": "policies/cloudresourcemanager.googleapis.com%2Fprojects%2F1234567890123/denypolicies/my-policy/operations/8223fe308bf1ff01", "metadata": { "@type": "type.googleapis.com/google.iam.v2.PolicyOperationMetadata", "createTime": "2021-10-05T19:45:00.133311Z" }, "response": { "@type": "type.googleapis.com/google.iam.v2.Policy", "name": "policies/cloudresourcemanager.googleapis.com%2Fprojects%2F1234567890123/denypolicies/my-policy", "kind": "DenyPolicy", "displayName": "My deny policy.", "etag": "MTc3NDU4MjM4OTY0MzU5MjQ5OTI=", "createTime": "2022-06-28T19:06:12.455151Z", "updateTime": "2022-07-05T19:45:00.133311Z", "deleteTime": "2022-07-05T19:45:00.133311Z", "rules": [ { "denyRule": { "deniedPrincipals": [ "principal://goog/subject/lucian@example.com" ], "deniedPermissions": [ "iam.googleapis.com/roles.create" ] } } ] } }
The response identifies a long-running operation. You can monitor the status of the long-running operation to find out when it's complete. For details, see Check the status of a long-running operation on this page.
Check the status of a long-running operation
When you use the REST API or the client libraries, any method that changes a deny policy returns a long-running operation, or LRO. The long-running operation tracks the status of the request and indicates whether the change to the policy is complete.
Go
The code samples on this page show how to wait for a long-running operation to finish, and then access its result.
Java
The code samples on this page show how to wait for a long-running operation to finish, and then access its result.
Node.js
The code samples on this page show how to wait for a long-running operation to finish, and then access its result.
Python
The code samples on this page show how to wait for a long-running operation to finish, and then access its result.
REST
The
policies.operations.get
method returns the status of a long-running operation.
Before using any of the request data, make the following replacements:
-
ENCODED_ATTACHMENT_POINT
: A URL-encoded identifier for the resource that the deny policy is attached to. To learn how to format this value, see Attachment point. -
OPERATION_ID
: The identifier for the operation. You receive this identifier in the response to your original request, as part of the operation name. Use the hexadecimal value at the end of the operation name. For example,89cb3e508bf1ff01
.
HTTP method and URL:
GET https://iam.googleapis.com/v2/policies/ENCODED_ATTACHMENT_POINT/operations/OPERATION_ID
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{ "name": "policies/cloudresourcemanager.googleapis.com%2Fprojects%2F1234567890123/denypolicies/my-policy/operations/89cb3e508bf1ff01", "done": true }
If the operation's done
field is not present, continue to monitor its status
by getting the operation repeatedly. Use
truncated exponential backoff to introduce a delay between
each request. When the done
field is set to true
, the operation is complete,
and you can stop getting the operation.
What's next
- Identify the permissions that are supported in deny policies.
- Get the format of principal identifiers in deny policies.
- Find out how to troubleshoot access issues with deny policies.
- Learn more about denying access to principals.