'GCP equivalent of "deny" permissions in aws policy

Is there a way to deny permissions in GCP custom role? For example, this is a policy in AWS that denies a set of actions on S3: { "Sid": "DenyS3", "Effect": "Deny", "Action": "s3:Get*", "Resource": "*" } Is there a way to define a similar custom role in GCP?

google-cloud-platformcloudgoogle-iam


Solution 1:[1]

In preview circa 2022, yes. But it isn't intended to be used the same way.

You can deny a principal from ever using storage.googleapis.com/buckets.get but currently this is not for specific resources and these "deny policies" are attached at the project, folder or organisation level, again not to resources. These are not "IAM policies"/"Allow policies" which are the typical approach and are additive only.

Check the subset of permissions that support deny too.

https://cloud.google.com/iam/docs/deny-access

{
  "displayName": "My deny policy.",
  "rules": [
    {
      "denyRule": {
        "deniedPrincipals": [
          "principal://goog/subject/[email protected]"
        ],
        "deniedPermissions": [
          "iam.googleapis.com/roles.create"
        ]
      }
    }
  ]
}

Solution 2:[2]

In google Cloud the roles are created based on the format <service>.<resource>.<verb> which specify the exact role to be performed on Resource.

So if a custom role has to be created then you can either add above specific roles or completely omit them from the roles.

https://cloud.google.com/iam/docs/understanding-custom-roles

Solution 3:[3]

Is there a way to deny permissions in GCP custom role?

No, IAM roles are deny by default and are additive only.

How do i get permissions only on a specific image name?

The classic use case for IAM roles is to assign them to the Google Project. This is why a role grants you permission to all resources of that type for that role.

Google has started to release Identity based access control on resources. This means that you can attach an identity with roles to individual resources instead of to the project. For resources that support this, there is a right-hand side panel that allows you to set permissions.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1
Solution 2 Prashant
Solution 3 John Hanley

Related Questions

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Amazon AWS S3 to Force Download Mp3 File instead of Stream It

How to enable terraform module only with a specific workspace

AWS RDS Postgres: WAL_LEVEL not set to 'logical' after changing rds.logical_replication = 1

Use terraform to set up a lambda function triggered by a scheduled event source

Use terraform to set up a lambda function triggered by a scheduled event source

Self stopping EC2 once task complete?

AWS - SWF - Asynchronous method

Why my cloudformation template is over 1 MB?

AWS elastic beanstalk - WARN install EACCES: permission denied, access '/tmp/.npm'

Aws step functions - Resume from failed step function activity instead of starting a new execution

Redirect Elastic Beanstalk URL to domain name

node-lambda - TypeError: handler is not a function