GCPcloud~30 mins

IAM deny policies in GCP - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

IAM Deny Policies in GCP

📖 Scenario: You are managing access to a Google Cloud project. You want to create a policy that explicitly denies certain users from performing specific actions, even if other permissions allow them.

🎯 Goal: Build an IAM deny policy that blocks the storage.buckets.delete permission for a specific user on a Cloud Storage bucket.

📋 What You'll Learn

Create a deny policy binding for a user

Specify the permission storage.buckets.delete to deny

Attach the deny policy to a Cloud Storage bucket resource

💡 Why This Matters

🌍 Real World

IAM deny policies help prevent accidental or malicious access by explicitly blocking permissions, even if other roles grant them.

💼 Career

Cloud engineers and security specialists use deny policies to enforce strict access controls and protect critical resources.

Progress0 / 4 steps

Create the initial deny policy structure

Create a dictionary called deny_policy with a key denyRules that holds an empty list.

GCP

deny_policy = {
    "denyRules": []
}
# Your code here

Need a hint?

Start by making a dictionary with a key named denyRules that is an empty list.

Add a deny rule for the delete permission

Add a dictionary to deny_policy["denyRules"] with keys deniedPrincipals set to ["user:alice@example.com"] and deniedPermissions set to ["storage.buckets.delete"].

GCP

deny_policy = {
    "denyRules": [
        # Add deny rule here
    ]
}
# Your code here

Need a hint?

Add a deny rule that denies the user alice@example.com the permission to delete storage buckets.

Specify the resource to attach the deny policy

Create a variable called resource and set it to the string "//storage.googleapis.com/projects/_/buckets/my-bucket" representing the Cloud Storage bucket resource.

GCP

deny_policy = {
    "denyRules": [
        {
            "deniedPrincipals": ["user:alice@example.com"],
            "deniedPermissions": ["storage.buckets.delete"]
        }
    ]
}

# Your code here

Need a hint?

Set the resource variable to the full resource name of the bucket.

Attach the deny policy to the resource

Create a dictionary called policy_request with keys resource set to the resource variable and policy set to the deny_policy dictionary.

GCP

deny_policy = {
    "denyRules": [
        {
            "deniedPrincipals": ["user:alice@example.com"],
            "deniedPermissions": ["storage.buckets.delete"]
        }
    ]
}

resource = "//storage.googleapis.com/projects/_/buckets/my-bucket"

# Your code here

Need a hint?

Combine the resource and deny policy into a single request dictionary.