GCPcloud~5 mins

IAM deny policies in GCP - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Sometimes you want to block certain actions for users even if other permissions allow them. IAM deny policies let you explicitly stop users from doing specific things, adding an extra layer of control.

When you want to prevent a user from deleting storage buckets even if they have broad permissions.

When you need to block access to sensitive resources for a group temporarily without changing their roles.

When you want to deny a specific API action for all users in a project.

When you want to enforce security rules that override granted permissions.

When you want to quickly stop access to a resource without removing existing permissions.

Config File - deny-policy.yaml

deny-policy.yaml

bindings:
- role: roles/iam.denyAll
  members:
  - user:example-user@example.com
  deny_rules:
  - denied_permissions:
    - storage.buckets.delete
    - storage.objects.delete
    denial_condition:
      expression: "resource.name.startsWith('projects/_/buckets/my-sensitive-bucket')"
      title: "Deny delete on sensitive bucket"
      description: "Prevent deleting buckets and objects in my-sensitive-bucket"

This YAML file defines a deny policy that blocks the user example-user@example.com from deleting storage buckets and objects in the bucket named 'my-sensitive-bucket'.

bindings: Lists who the policy applies to and what is denied.

role: Uses the special deny role roles/iam.denyAll to specify deny rules.

deny_rules: Lists the permissions to deny and the condition when to deny them.

denial_condition: Limits the deny to resources starting with the bucket name.

Commands

This command applies the deny policy defined in deny-policy.yaml to the project 'my-project'. It sets the deny rules to block specified actions.

Terminal

gcloud iam policies set-deny deny-policy.yaml --project=my-project

Expected OutputExpected

Updated deny policy for project [my-project].

→

--project - Specifies the GCP project where the deny policy is applied.

This command shows the current IAM policies including deny policies for the project to verify the deny rules are set.

Terminal

gcloud iam policies describe --project=my-project

Expected OutputExpected

bindings: - members: - user:example-user@example.com role: roles/iam.denyAll denyRules: - deniedPermissions: - storage.buckets.delete - storage.objects.delete denialCondition: expression: resource.name.startsWith('projects/_/buckets/my-sensitive-bucket') title: Deny delete on sensitive bucket description: Prevent deleting buckets and objects in my-sensitive-bucket

→

--project - Specifies the project to show policies for.

Key Concept

If you remember nothing else from this pattern, remember: deny policies explicitly block actions even if other permissions allow them.

Common Mistakes

Not specifying the denial_condition, causing the deny to apply everywhere.

This blocks the denied permissions on all resources, which can break unrelated workflows.

Always use denial_condition to limit the deny to specific resources or situations.

Applying deny policies without testing, causing unexpected access issues.

Deny policies override allow permissions and can lock out users unintentionally.

Test deny policies in a safe environment or with limited users before wide deployment.

Summary

Create a deny policy YAML file specifying who and what to deny with optional conditions.

Apply the deny policy to your GCP project using gcloud iam policies set-deny.

Verify the deny policy is active by describing the IAM policies with gcloud.