'GCP equivalent of "deny" permissions in aws policy

Is there a way to deny permissions in GCP custom role? For example, this is a policy in AWS that denies a set of actions on S3: { "Sid": "DenyS3", "Effect": "Deny", "Action": "s3:Get*", "Resource": "*" } Is there a way to define a similar custom role in GCP?



Solution 1:[1]

In preview circa 2022, yes. But it isn't intended to be used the same way.

You can deny a principal from ever using storage.googleapis.com/buckets.get but currently this is not for specific resources and these "deny policies" are attached at the project, folder or organisation level, again not to resources. These are not "IAM policies"/"Allow policies" which are the typical approach and are additive only.

Check the subset of permissions that support deny too.

https://cloud.google.com/iam/docs/deny-access

{
  "displayName": "My deny policy.",
  "rules": [
    {
      "denyRule": {
        "deniedPrincipals": [
          "principal://goog/subject/[email protected]"
        ],
        "deniedPermissions": [
          "iam.googleapis.com/roles.create"
        ]
      }
    }
  ]
}

Solution 2:[2]

In google Cloud the roles are created based on the format <service>.<resource>.<verb> which specify the exact role to be performed on Resource.

So if a custom role has to be created then you can either add above specific roles or completely omit them from the roles.

https://cloud.google.com/iam/docs/understanding-custom-roles

Solution 3:[3]

Is there a way to deny permissions in GCP custom role?

No, IAM roles are deny by default and are additive only.

How do i get permissions only on a specific image name?

The classic use case for IAM roles is to assign them to the Google Project. This is why a role grants you permission to all resources of that type for that role.

Google has started to release Identity based access control on resources. This means that you can attach an identity with roles to individual resources instead of to the project. For resources that support this, there is a right-hand side panel that allows you to set permissions.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1
Solution 2 Prashant
Solution 3 John Hanley