Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://cloud.google.com/iam/docs/deny-access below:

Deny access to resources | IAM Documentation

Stay organized with collections Save and categorize content based on your preferences.

This page explains how to deny principals access by preventing them from using specific Identity and Access Management (IAM) permissions.

In IAM, you deny access with deny policies. Each deny policy is attached to a Google Cloud organization, folder, or project. A deny policy contains deny rules, which identify principals and list the permissions that the principals cannot use.

Deny policies are separate from allow policies, also known as IAM policies. An allow policy provides access to resources by granting IAM roles to principals.

You can manage deny policies with the Google Cloud console, Google Cloud CLI, or the IAM v2 REST API.

• Enable the IAM API.

  Enable the API

• Set up authentication.

  Select the tab for how you plan to use the samples on this page:

  Console

  When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.

  gcloud

  In the Google Cloud console, activate Cloud Shell.

  Activate Cloud Shell

  At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

  Terraform

  To use the Terraform samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.

  1. Install the Google Cloud CLI.

  2. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  3. To initialize the gcloud CLI, run the following command:

     gcloud init

  4. If you're using a local shell, then create local authentication credentials for your user account:

     gcloud auth application-default login

     You don't need to do this if you're using Cloud Shell.

     If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.

  For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.

  Go

  To use the Go samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.

  1. Install the Google Cloud CLI.

  2. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  3. To initialize the gcloud CLI, run the following command:

     gcloud init

  4. If you're using a local shell, then create local authentication credentials for your user account:

     gcloud auth application-default login

     You don't need to do this if you're using Cloud Shell.

     If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.

  For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.

  Java

  To use the Java samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.

  1. Install the Google Cloud CLI.

  2. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  3. To initialize the gcloud CLI, run the following command:

     gcloud init

  4. If you're using a local shell, then create local authentication credentials for your user account:

     gcloud auth application-default login

     You don't need to do this if you're using Cloud Shell.

     If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.

  For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.

  Node.js

  To use the Node.js samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.

  1. Install the Google Cloud CLI.

  2. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  3. To initialize the gcloud CLI, run the following command:

     gcloud init

  4. If you're using a local shell, then create local authentication credentials for your user account:

     gcloud auth application-default login

     You don't need to do this if you're using Cloud Shell.

     If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.

  For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.

  Python

  To use the Python samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.

  1. Install the Google Cloud CLI.

  2. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  3. To initialize the gcloud CLI, run the following command:

     gcloud init

  4. If you're using a local shell, then create local authentication credentials for your user account:

     gcloud auth application-default login

     You don't need to do this if you're using Cloud Shell.

     If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.

  For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.

  REST

  To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.

  After installing the Google Cloud CLI, initialize it by running the following command:

  gcloud init

  If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  For more information, see Authenticate for using REST in the Google Cloud authentication documentation.

• Read the overview of deny policies.

To get the permissions that you need to manage deny policies, ask your administrator to grant you the following IAM roles on the organization:

• To view deny policies: Deny Reviewer (roles/iam.denyReviewer)
• To view, create, update, and delete deny policies: Deny Admin (roles/iam.denyAdmin)

For more information about granting roles, see Manage access to projects, folders, and organizations.

These predefined roles contain the permissions required to manage deny policies. To see the exact permissions that are required, expand the Required permissions section:

The following permissions are required to manage deny policies:

• To view deny policies:
  • iam.denypolicies.get
  • iam.denypolicies.list
• To create, update, and delete deny policies:
  • iam.denypolicies.create
  • iam.denypolicies.delete
  • iam.denypolicies.get
  • iam.denypolicies.update

You might also be able to get these permissions with custom roles or other predefined roles.

Before you create a deny policy, you must decide which permissions you want to deny, and which principals should be denied these permissions.

Only some permissions can be denied. For a list of permissions that you can deny, see Permissions supported in deny policies.

In some cases, you can also use permission groups to deny sets of permissions. For more information, see Permission groups.

You manage deny policies with the v2 REST API, which requires a special format for permission names. For example, the permission to create an IAM custom role is named as follows:

• v1 API: iam.roles.create
• v2 API: iam.googleapis.com/roles.create

You can add deny policies to organizations, folders, and projects. Each resource can have up to 500 deny policies.

Deny policies contain deny rules, which specify the following:

• The permissions to deny.
• The principals that are denied those permissions.

• Optional: Principals that are exempt from the denial of permissions.

  For example, you can deny a permission to a group, but exempt specific users who belong to that group.

• Optional: A condition expression that specifies when the principals cannot use the permissions. In deny policies, condition expressions can only use functions for resource tags—other functions and operators are not supported.

Each resource can have up to 500 deny rules across all of its attached deny policies.

Deny policies are inherited through the resource hierarchy. For example, if you deny a permission at the organization level, that permission will also be denied on the folders and projects within that organization, and on the service-specific resources within each project.

Deny policies override allow policies. If a principal is granted a role that contains a specific permission, but a deny policy says that the principal cannot use that permission, then the principal cannot use the permission.

1. In the Google Cloud console, go to the Deny tab on the IAM page.

   Go to IAM

2. Select a project, folder, or organization.

3. Click add_box Create deny policy.

4. In the Policy name section, define the policy ID by doing one of the following:

   • In the Display name field, enter a display name for the policy. Filling out this field automatically fills out the ID field. If you want to change the ID of the policy, update the text in the ID field.
   • In the ID field, enter an ID for the policy.

5. In the Deny rules section, define the policy's deny rules. Each deny policy must have at least one deny rule. To add additional deny rules, click Add deny rule.

   For each deny rule, do the following:

   1. In the Denied principals field, add one or more principals that you want to prevent from using the specified permissions. The principal can be any of the principal types in the principal identifiers for deny policies, except the principals whose IDs begin with deleted:.

   2. Optional: In the Exception principals field, add the principals that you want to be able to use the specified permissions, even if those principals are included in Denied principals section. For example, you can use this field to make an exception for specific users who belong to a denied group.

      Note: If a principal set in the list of denied principals includes service agents—for example, the principal set principalSet://goog/public:all—then we recommend adding your service agents as exceptions in the deny rule. This helps ensure that your services continue to function properly. When adding service agents as exceptions, use the project, folder, or organization's service agent principal set.

   3. In the Denied permissions sections, add the permissions that you want to deny. The permissions must be supported in deny policies.

      In some cases, you can also use permission groups to deny sets of permissions. For more information, see Permission groups.

   4. Optional: Add exception permissions. Exception permissions are permissions that you don't want this deny rule to deny, even if they're included in the list of denied permissions. For example, you can use this field to make exceptions for specific permissions in a permission group.

      To add exception permissions, click Exception permissions, click add Add another permission, and then enter the permission in the Permission 1 field. Continue adding permissions until you've added all permissions that you want to exempt from the deny policy.

   5. Optional: Add a denial condition to specify when the principals can't use the permission. To add a denial condition, click add Add denial condition, and then define the following fields:

      • Title: Optional. A brief summary of the purpose of the condition.
      • Description: Optional. A longer description of the condition.

      • Condition expression: You can add a condition expression using the Condition builder or Condition editor. The condition builder provides an interactive interface to select your desired condition type, operator, and other applicable details about the expression. The condition editor provides a text-based interface to manually enter an expression using Common Expression Language (CEL) syntax.

        Denial conditions must be based on resource tags. Other functions and operators aren't supported.

6. Click Create.

To create a deny policy for a resource, start by creating a JSON file that contains the policy. A deny policy uses the following format:

{
  "displayName": "POLICY_NAME",
  "rules": [
    {
      "denyRule": DENY_RULE_1
    },
    {
      "denyRule": DENY_RULE_2
    },
    {
      "denyRule": DENY_RULE_N
    }
  ]
}

Provide the following values:

• POLICY_NAME: The display name for the deny policy.

• DENY_RULE_1, DENY_RULE_2, ...DENY_RULE_N: The deny rules in the policy. Each deny rule can contain these fields:

  • deniedPermissions: A list of permissions that the specified principals cannot use. The permissions must be supported in deny policies.

    In some cases, you can also use permission groups to deny sets of permissions. For more information, see Permission groups.

  • exceptionPermissions: A list of permissions that the specified principals can use, even if those permissions are included in deniedPermissions. For example, you can use this field to make exceptions for specific permissions in a group of permissions.
  • deniedPrincipals: A list of principals that cannot use the specified permissions. To learn how to format the principal identifiers, see Principal identifiers for deny policies.

  • exceptionPrincipals: Optional. A list of principals that can use the specified permissions, even if those principals are included in deniedPrincipals. For example, you can use this field to make an exception for specific users who belong to a denied group. To learn how to format the principal identifiers, see Principal identifiers for deny policies.

    Note: If a principal set in the list of denied principals includes service agents—for example, the principal set principalSet://goog/public:all—then we recommend adding your service agents as exceptions in the deny rule. This helps ensure that your services continue to function properly. When adding service agents as exceptions, use the project, folder, or organization's service agent principal set.

  • denialCondition: Optional. A condition expression that specifies when the principals cannot use the permissions. Contains the following fields:

    • expression: A condition expression that uses Common Expression Language (CEL) syntax. The expression must use the CEL functions for evaluating resource tags. Other functions and operators are not supported.
    • title: Optional. A brief summary of the purpose of the condition.
    • description: Optional. A longer description of the condition.

  For examples of deny rules, see Common use cases.

For example, the following deny policy contains one deny rule, which denies one permission to Lucian:

{
  "displayName": "My deny policy.",
  "rules": [
    {
      "denyRule": {
        "deniedPrincipals": [
          "principal://goog/subject/lucian@example.com"
        ],
        "deniedPermissions": [
          "iam.googleapis.com/roles.create"
        ]
      }
    }
  ]
}

Next, run the gcloud iam policies create command:

gcloud iam policies create POLICY_ID \
    --attachment-point=ATTACHMENT_POINT \
    --kind=denypolicies \
    --policy-file=POLICY_FILE

Provide the following values:

• POLICY_ID: The identifier for the deny policy.

• ATTACHMENT_POINT: An identifier for the resource that the deny policy is attached to. To learn how to format this value, see Attachment point.

• POLICY_FILE: The filepath for the JSON file that contains the deny policy.

By default, if this command succeeds, it does not print any output. To print a detailed response, add the flag --format=json to the command.

For example, the following command creates a deny policy named my-deny-policy for the project my-project, using a file named policy.json:

gcloud iam policies create my-deny-policy \
    --attachment-point=cloudresourcemanager.googleapis.com/projects/my-project \
    --kind=denypolicies \
    --policy-file=policy.json

To learn how to apply or remove a Terraform configuration, see Basic Terraform commands. For more information, see the Terraform provider reference documentation.

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Node.js API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

The policies.createPolicy method creates a deny policy for a resource.

Before using any of the request data, make the following replacements:

• ENCODED_ATTACHMENT_POINT: A URL-encoded identifier for the resource that the deny policy is attached to. To learn how to format this value, see Attachment point.

• POLICY_ID: An identifier for the deny policy.
• POLICY_NAME: The display name for the deny policy.

• DENY_RULE_1, DENY_RULE_2, ...DENY_RULE_N: The deny rules in the policy. Each deny rule can contain these fields:

  • deniedPermissions: A list of permissions that the specified principals cannot use. The permissions must be supported in deny policies.

    In some cases, you can also use permission groups to deny sets of permissions. For more information, see Permission groups.

  • exceptionPermissions: A list of permissions that the specified principals can use, even if those permissions are included in deniedPermissions. For example, you can use this field to make exceptions for specific permissions in a group of permissions.
  • deniedPrincipals: A list of principals that cannot use the specified permissions. To learn how to format the principal identifiers, see Principal identifiers for deny policies.

  • exceptionPrincipals: Optional. A list of principals that can use the specified permissions, even if those principals are included in deniedPrincipals. For example, you can use this field to make an exception for specific users who belong to a denied group. To learn how to format the principal identifiers, see Principal identifiers for deny policies.

    Note: If a principal set in the list of denied principals includes service agents—for example, the principal set principalSet://goog/public:all—then we recommend adding your service agents as exceptions in the deny rule. This helps ensure that your services continue to function properly. When adding service agents as exceptions, use the project, folder, or organization's service agent principal set.

  • denialCondition: Optional. A condition expression that specifies when the principals cannot use the permissions. Contains the following fields:

    • expression: A condition expression that uses Common Expression Language (CEL) syntax. The expression must use the CEL functions for evaluating resource tags. Other functions and operators are not supported.
    • title: Optional. A brief summary of the purpose of the condition.
    • description: Optional. A longer description of the condition.

  For examples of deny rules, see Common use cases.

HTTP method and URL:

POST https://iam.googleapis.com/v2/policies/ENCODED_ATTACHMENT_POINT/denypolicies?policyId=POLICY_ID

Request JSON body:

{
  "displayName": "POLICY_NAME",
  "rules": [
    {
      "denyRule": DENY_RULE_1
    },
    {
      "denyRule": DENY_RULE_2
    },

    {
      "denyRule": DENY_RULE_N
    }
  ]
}

To send your request, expand one of these options:

Save the request body in a file named request.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://iam.googleapis.com/v2/policies/ENCODED_ATTACHMENT_POINT/denypolicies?policyId=POLICY_ID"

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `

    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://iam.googleapis.com/v2/policies/ENCODED_ATTACHMENT_POINT/denypolicies?policyId=POLICY_ID" | Select-Object -Expand Content

Copy the request body and open the method reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and click Execute.

You should receive a JSON response similar to the following:

{
  "name": "policies/cloudresourcemanager.googleapis.com%2Fprojects%2F1234567890123/denypolicies/my-policy/operations/89cb3e508bf1ff01",
  "metadata": {
    "@type": "type.googleapis.com/google.iam.v2.PolicyOperationMetadata",
    "createTime": "2022-06-28T19:06:12.455151Z"
  },
  "response": {
    "@type": "type.googleapis.com/google.iam.v2.Policy",
    "name": "policies/cloudresourcemanager.googleapis.com%2Fprojects%2F1234567890123/denypolicies/my-policy",
    "uid": "6665c437-a3b2-a018-6934-54dd16d3426e",
    "kind": "DenyPolicy",
    "displayName": "My deny policy.",
    "etag": "MTc3NDU4MjM4OTY0MzU5MjQ5OTI=",
    "createTime": "2022-06-28T19:06:12.455151Z",
    "updateTime": "2022-06-28T22:26:21.968687Z"
    "rules": [
      {
        "denyRule": {
          "deniedPrincipals": [
            "principal://goog/subject/lucian@example.com"
          ],
          "deniedPermissions": [
            "iam.googleapis.com/roles.create"
          ]
        }
      }
    ]
  }
}

The response identifies a long-running operation. You can monitor the status of the long-running operation to find out when it's complete. For details, see Check the status of a long-running operation on this page.

A resource can have multiple deny policies. You can list all of the deny policies that are attached to a resource, and then view each deny policy to see the deny rules in each policy.

1. In the Google Cloud console, go to the Deny tab on the IAM page.

   Go to IAM

2. Select a project, folder, or organization.

   The Google Cloud console lists all deny policies that apply to that project, folder, or organization. This includes deny policies that have been inherited from other resources. For more information about deny policy inheritance, see Deny policy inheritance.

To list the deny policies for a resource, run the gcloud iam policies list command:

gcloud iam policies list \
    --attachment-point=ATTACHMENT_POINT \
    --kind=denypolicies \
    --format=json

Provide the following value:

• ATTACHMENT_POINT: An identifier for the resource that the deny policy is attached to. To learn how to format this value, see Attachment point.

For example, the following command lists deny policies attached to an organization whose numeric ID is 123456789012:

gcloud iam policies list \
    --attachment-point=cloudresourcemanager.googleapis.com/organizations/123456789012 \
    --kind=denypolicies \
    --format=json

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Node.js API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

The policies.listPolicies method lists the deny policies for a resource.

Before using any of the request data, make the following replacements:

• ENCODED_ATTACHMENT_POINT: A URL-encoded identifier for the resource that the deny policy is attached to. To learn how to format this value, see Attachment point.

HTTP method and URL:

GET https://iam.googleapis.com/v2/policies/ENCODED_ATTACHMENT_POINT/denypolicies

To send your request, expand one of these options:

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://iam.googleapis.com/v2/policies/ENCODED_ATTACHMENT_POINT/denypolicies"

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `

    -Method GET `
    -Headers $headers `
    -Uri "https://iam.googleapis.com/v2/policies/ENCODED_ATTACHMENT_POINT/denypolicies" | Select-Object -Expand Content

Open the method reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Complete any required fields and click Execute.

You should receive a JSON response similar to the following:

{
  "policies": [
    {
      "name": "policies/cloudresourcemanager.googleapis.com%2Fprojects%2F1067607927478/denypolicies/test-policy",
      "uid": "6665c437-a3b2-a018-6934-54dd16d3426e",
      "kind": "DenyPolicy",
      "displayName": "My deny policy.",
      "createTime": "2022-06-28T19:06:12.455151Z",
      "updateTime": "2022-06-28T22:26:21.968687Z"
    },
    {
      "name": "policies/cloudresourcemanager.googleapis.com%2Fprojects%2F1067607927478/denypolicies/test-policy-2",
      "uid": "8465d710-ea20-0a08-d92c-b2a3ebf766ab",
      "kind": "DenyPolicy",
      "displayName": "My second deny policy.",
      "createTime": "2022-06-05T19:21:53.595455Z",
      "updateTime": "2022-06-05T19:21:53.595455Z"
    },
    {
      "name": "policies/cloudresourcemanager.googleapis.com%2Fprojects%2F1067607927478/denypolicies/test-policy-3",
      "uid": "ee9f7c2f-7e8c-b05c-d4e5-e03bfb2954e0",
      "kind": "DenyPolicy",
      "displayName": "My third deny policy.",
      "createTime": "2022-06-05T19:22:26.770543Z",
      "updateTime": "2022-06-05T19:22:26.770543Z"
    }
  ]
}

You can view a deny policy to see the deny rules that it contains, including the permissions that are denied and the principals who cannot use those permissions.

1. In the Google Cloud console, go to the Deny tab on the IAM page.

   Go to IAM

2. Select a project, folder, or organization.

3. In the Policy ID column, click the ID of the policy that you want to view.

   The Google Cloud console shows the details of the deny policy, including the policy ID, when the policy was created, and the deny rules in the deny policy.

To get the deny policy for a resource, run the gcloud iam policies get command:

gcloud iam policies get POLICY_ID \
    --attachment-point=ATTACHMENT_POINT \
    --kind=denypolicies \
    --format=json

Provide the following values:

• POLICY_ID: The identifier for the deny policy.

• ATTACHMENT_POINT: An identifier for the resource that the deny policy is attached to. To learn how to format this value, see Attachment point.

For example, the following command gets the deny policy named my-deny-policy for the project my-project and saves it in a file named policy.json:

gcloud iam policies get my-deny-policy \
    --attachment-point=cloudresourcemanager.googleapis.com/projects/my-project \
    --kind=denypolicies \
    --format=json \
    > ./policy.json

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Node.js API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

The policies.get method gets a deny policy for a resource.

Before using any of the request data, make the following replacements:

• ENCODED_ATTACHMENT_POINT: A URL-encoded identifier for the resource that the deny policy is attached to. To learn how to format this value, see Attachment point.

• POLICY_ID: An identifier for the deny policy.

HTTP method and URL:

GET https://iam.googleapis.com/v2/policies/ENCODED_ATTACHMENT_POINT/denypolicies/POLICY_ID

To send your request, expand one of these options:

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://iam.googleapis.com/v2/policies/ENCODED_ATTACHMENT_POINT/denypolicies/POLICY_ID"

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `

    -Method GET `
    -Headers $headers `
    -Uri "https://iam.googleapis.com/v2/policies/ENCODED_ATTACHMENT_POINT/denypolicies/POLICY_ID" | Select-Object -Expand Content

Open the method reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Complete any required fields and click Execute.

You should receive a JSON response similar to the following:

{
  "name": "policies/cloudresourcemanager.googleapis.com%2Fprojects%2F1234567890123/denypolicies/my-policy",
  "uid": "6665c437-a3b2-a018-6934-54dd16d3426e",
  "kind": "DenyPolicy",
  "displayName": "My deny policy.",
  "etag": "MTc3NDU4MjM4OTY0MzU5MjQ5OTI=",
  "createTime": "2022-06-05T19:22:26.770543Z",
  "updateTime": "2022-06-05T19:22:26.770543Z",
  "rules": [
    {
      "denyRule": {
        "deniedPrincipals": [
          "principal://goog/subject/lucian@example.com"
        ],
        "deniedPermissions": [
          "iam.googleapis.com/roles.create"
        ]
      }
    }
  ]
}

After you create a deny policy, you can update the deny rules that it contains, as well as its display name.

You can update a deny policy using the Google Cloud console, or using one of the following programmatic methods:

• The gcloud CLI
• The REST API
• The IAM client libraries

1. In the Google Cloud console, go to the Deny tab on the IAM page.

   Go to IAM

2. Select a project, folder, or organization.

3. In the Policy ID column, click the ID of the policy that you want to edit.

4. Click edit Edit.

5. Update the deny policy:

   • To change the policy display name, edit the Display name field.
   • To edit an existing deny rule, click the deny rule, and then modify the rule's principals, exception principals, denied permissions, exception permissions, or denial condition.
   • To remove a deny rule, find the deny rule that you want to delete, and then click delete Delete in that row.
   • To add a deny rule, click Add deny rule, and then create a deny rule like you do when you create a deny policy.

6. When you're done updating the deny policy, click Save.

To update a deny policy using the gcloud CLI, the REST API, or the IAM client libraries, use the read-modify-write pattern:

1. Read the current version of the policy.
2. Modify the information in the policy as needed.
3. Write the updated policy.

To get the deny policy for a resource, run the gcloud iam policies get command:

gcloud iam policies get POLICY_ID \
    --attachment-point=ATTACHMENT_POINT \
    --kind=denypolicies \
    --format=json

Provide the following values:

• POLICY_ID: The identifier for the deny policy.

• ATTACHMENT_POINT: An identifier for the resource that the deny policy is attached to. To learn how to format this value, see Attachment point.

For example, the following command gets the deny policy named my-deny-policy for the project my-project and saves it in a file named policy.json:

gcloud iam policies get my-deny-policy \
    --attachment-point=cloudresourcemanager.googleapis.com/projects/my-project \
    --kind=denypolicies \
    --format=json \
    > ./policy.json

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Node.js API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

The policies.get method gets a deny policy for a resource.

Before using any of the request data, make the following replacements:

• ENCODED_ATTACHMENT_POINT: A URL-encoded identifier for the resource that the deny policy is attached to. To learn how to format this value, see Attachment point.

• POLICY_ID: An identifier for the deny policy.

HTTP method and URL:

GET https://iam.googleapis.com/v2/policies/ENCODED_ATTACHMENT_POINT/denypolicies/POLICY_ID

To send your request, expand one of these options:

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://iam.googleapis.com/v2/policies/ENCODED_ATTACHMENT_POINT/denypolicies/POLICY_ID"

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `

    -Method GET `
    -Headers $headers `
    -Uri "https://iam.googleapis.com/v2/policies/ENCODED_ATTACHMENT_POINT/denypolicies/POLICY_ID" | Select-Object -Expand Content

Open the method reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Complete any required fields and click Execute.

You should receive a JSON response similar to the following:

{
  "name": "policies/cloudresourcemanager.googleapis.com%2Fprojects%2F1234567890123/denypolicies/my-policy",
  "uid": "6665c437-a3b2-a018-6934-54dd16d3426e",
  "kind": "DenyPolicy",
  "displayName": "My deny policy.",
  "etag": "MTc3NDU4MjM4OTY0MzU5MjQ5OTI=",
  "createTime": "2022-06-05T19:22:26.770543Z",
  "updateTime": "2022-06-05T19:22:26.770543Z",
  "rules": [
    {
      "denyRule": {
        "deniedPrincipals": [
          "principal://goog/subject/lucian@example.com"
        ],
        "deniedPermissions": [
          "iam.googleapis.com/roles.create"
        ]
      }
    }
  ]
}

To modify the deny policy, you make changes to the copy of the policy that you previously read from IAM. You can update the display name, or you can add, change, or remove deny rules. The changes don't take effect until you write the updated policy.

For example, you could add a permission to an existing deny rule:

{
  "name": "policies/cloudresourcemanager.googleapis.com%2Fprojects%2F1234567890123/denypolicies/my-policy",
  "uid": "6665c437-a3b2-a018-6934-54dd16d3426e",
  "kind": "DenyPolicy",
  "displayName": "My deny policy.",
  "etag": "MTc3NDU4MjM4OTY0MzU5MjQ5OTI=",
  "createTime": "2021-10-05T19:22:26.770543Z",
  "updateTime": "2021-10-05T19:22:26.770543Z",
  "rules": [
    {
      "denyRule": {
        "deniedPrincipals": [
          "principal://goog/subject/lucian@example.com"
        ],
        "deniedPermissions": [
          "iam.googleapis.com/roles.create",
          "iam.googleapis.com/roles.delete"
        ]
      }
    }
  ]
}

After you modify the deny policy locally, you must write the updated deny policy to IAM.

Each deny policy contains an etag field that identifies the policy version. The etag changes each time you update the policy. When you write the updated policy, the etag in your request must match the current etag stored in IAM; if the values do not match, the request fails. This feature helps prevent concurrent changes from overwriting each other.

To update the deny policy for a resource, run the gcloud iam policies update command:

gcloud iam policies update POLICY_ID \
    --attachment-point=ATTACHMENT_POINT \
    --kind=denypolicies \
    --policy-file=POLICY_FILE

Provide the following values:

• POLICY_ID: The identifier for the deny policy.

• ATTACHMENT_POINT: An identifier for the resource that the deny policy is attached to. To learn how to format this value, see Attachment point.

• POLICY_FILE: The filepath for the JSON file that contains the deny policy.

By default, if this command succeeds, it does not print any output. To print a detailed response, add the flag --format=json to the command.

For example, the following command updates a deny policy named my-deny-policy for the project my-project, using a file named policy.json:

gcloud iam policies update my-deny-policy \
    --attachment-point=cloudresourcemanager.googleapis.com/projects/my-project \
    --kind=denypolicies \
    --policy-file=policy.json

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Node.js API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

The policies.update method updates a deny policy.

Before using any of the request data, make the following replacements:

• ENCODED_ATTACHMENT_POINT: A URL-encoded identifier for the resource that the deny policy is attached to. To learn how to format this value, see Attachment point.

• POLICY_ID: An identifier for the deny policy.

• POLICY: The updated deny policy.

  For example, to add a permission to the policy shown in the previous step, replace POLICY with the following:

  {
    "name": "policies/cloudresourcemanager.googleapis.com%2Fprojects%2F1234567890123/denypolicies/my-policy",
    "uid": "6665c437-a3b2-a018-6934-54dd16d3426e",
    "kind": "DenyPolicy",
    "displayName": "My deny policy.",
    "etag": "MTc3NDU4MjM4OTY0MzU5MjQ5OTI=",
    "createTime": "2022-06-05T19:22:26.770543Z",
    "updateTime": "2022-06-05T19:22:26.770543Z",
    "rules": [
      {
        "denyRule": {
          "deniedPrincipals": [
            "principal://goog/subject/lucian@example.com"
          ],
          "deniedPermissions": [
            "iam.googleapis.com/roles.create",
            "iam.googleapis.com/roles.delete"
          ]
        }
      }
    ]
  }

HTTP method and URL:

PUT https://iam.googleapis.com/v2/policies/ENCODED_ATTACHMENT_POINT/denypolicies/POLICY_ID

Request JSON body:

POLICY

To send your request, expand one of these options:

Save the request body in a file named request.json, and execute the following command:

curl -X PUT \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://iam.googleapis.com/v2/policies/ENCODED_ATTACHMENT_POINT/denypolicies/POLICY_ID"

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `

    -Method PUT `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://iam.googleapis.com/v2/policies/ENCODED_ATTACHMENT_POINT/denypolicies/POLICY_ID" | Select-Object -Expand Content

Copy the request body and open the method reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and click Execute.

You should receive a JSON response similar to the following:

{
  "name": "policies/cloudresourcemanager.googleapis.com%2Fprojects%2F1234567890123/denypolicies/my-policy/operations/8b2d0ab2daf1ff01",
  "metadata": {
    "@type": "type.googleapis.com/google.iam.v2.PolicyOperationMetadata",
    "createTime": "2021-10-05T22:26:21.968687Z"
  },
  "response": {
    "@type": "type.googleapis.com/google.iam.v2.Policy",
    "name": "policies/cloudresourcemanager.googleapis.com%2Fprojects%2F1234567890123/denypolicies/my-policy",
    "uid": "6665c437-a3b2-a018-6934-54dd16d3426e",
    "kind": "DenyPolicy",
    "displayName": "My deny policy.",
    "etag": "MTgxNTIxNDE3NTYxNjQxODYxMTI=",
    "createTime": "2022-06-05T19:22:26.770543Z",
    "updateTime": "2022-06-05T22:26:21.968687Z",
    "rules": [
      {
        "denyRule": {
          "deniedPrincipals": [
            "principal://goog/subject/lucian@example.com"
          ],
          "deniedPermissions": [
            "iam.googleapis.com/roles.create",
            "iam.googleapis.com/roles.delete"
          ]
        }
      }
    ]
  }
}

The response identifies a long-running operation. You can monitor the status of the long-running operation to find out when it's complete. For details, see Check the status of a long-running operation on this page.

If you no longer want to enforce the rules in a deny policy, you can delete the deny policy.

Optionally, you can specify the etag for the policy version that you are deleting. If you specify the etag, it must match the current etag stored by IAM; if the values do not match, the request fails. You can use this feature to ensure that you are deleting the intended policy, rather than an updated version of that policy.

If you omit the etag from the request, IAM deletes the policy unconditionally.

1. In the Google Cloud console, go to the Deny tab on the IAM page.

   Go to IAM

2. Select a project, folder, or organization.

3. In the Policy ID column, click the ID of the policy that you want to delete.

4. Click delete Delete. In the confirmation dialog, click Confirm.

To delete a deny policy from a resource, run the gcloud iam policies delete command:

gcloud iam policies delete POLICY_ID \
    --attachment-point=ATTACHMENT_POINT \
    --kind=denypolicies

Provide the following values:

• POLICY_ID: The identifier for the deny policy.

• ATTACHMENT_POINT: An identifier for the resource that the deny policy is attached to. To learn how to format this value, see Attachment point.

Optionally, you can add the flag --etag=ETAG. Replace ETAG with the current etag value for the deny policy.

By default, if this command succeeds, it does not print any output. To print a detailed response, add the flag --format=json to the command.

For example, the following command deletes a deny policy named my-deny-policy from the project my-project:

gcloud iam policies delete my-deny-policy \
    --attachment-point=cloudresourcemanager.googleapis.com/projects/my-project \
    --kind=denypolicies

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Node.js API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

The policies.delete method deletes a deny policy from a resource.

Before using any of the request data, make the following replacements:

• ENCODED_ATTACHMENT_POINT: A URL-encoded identifier for the resource that the deny policy is attached to. To learn how to format this value, see Attachment point.

• POLICY_ID: An identifier for the deny policy.
• ETAG: Optional. An identifier for the version of the policy. If present, this value must match the current etag value for the policy.

HTTP method and URL:

DELETE https://iam.googleapis.com/v2/policies/ENCODED_ATTACHMENT_POINT/denypolicies/POLICY_ID?etag=ETAG

To send your request, expand one of these options:

Execute the following command:

curl -X DELETE \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://iam.googleapis.com/v2/policies/ENCODED_ATTACHMENT_POINT/denypolicies/POLICY_ID?etag=ETAG"

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `

    -Method DELETE `
    -Headers $headers `
    -Uri "https://iam.googleapis.com/v2/policies/ENCODED_ATTACHMENT_POINT/denypolicies/POLICY_ID?etag=ETAG" | Select-Object -Expand Content

Open the method reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Complete any required fields and click Execute.

You should receive a JSON response similar to the following:

{
  "name": "policies/cloudresourcemanager.googleapis.com%2Fprojects%2F1234567890123/denypolicies/my-policy/operations/8223fe308bf1ff01",
  "metadata": {
    "@type": "type.googleapis.com/google.iam.v2.PolicyOperationMetadata",
    "createTime": "2021-10-05T19:45:00.133311Z"
  },
  "response": {
    "@type": "type.googleapis.com/google.iam.v2.Policy",
    "name": "policies/cloudresourcemanager.googleapis.com%2Fprojects%2F1234567890123/denypolicies/my-policy",
    "kind": "DenyPolicy",
    "displayName": "My deny policy.",
    "etag": "MTc3NDU4MjM4OTY0MzU5MjQ5OTI=",
    "createTime": "2022-06-28T19:06:12.455151Z",
    "updateTime": "2022-07-05T19:45:00.133311Z",
    "deleteTime": "2022-07-05T19:45:00.133311Z",
    "rules": [
      {
        "denyRule": {
          "deniedPrincipals": [
            "principal://goog/subject/lucian@example.com"
          ],
          "deniedPermissions": [
            "iam.googleapis.com/roles.create"
          ]
        }
      }
    ]
  }
}

The response identifies a long-running operation. You can monitor the status of the long-running operation to find out when it's complete. For details, see Check the status of a long-running operation on this page.

When you use the REST API or the client libraries, any method that changes a deny policy returns a long-running operation, or LRO. The long-running operation tracks the status of the request and indicates whether the change to the policy is complete.

The code samples on this page show how to wait for a long-running operation to finish, and then access its result.

The code samples on this page show how to wait for a long-running operation to finish, and then access its result.

The code samples on this page show how to wait for a long-running operation to finish, and then access its result.

The code samples on this page show how to wait for a long-running operation to finish, and then access its result.

The policies.operations.get method returns the status of a long-running operation.

Before using any of the request data, make the following replacements:

• ENCODED_ATTACHMENT_POINT: A URL-encoded identifier for the resource that the deny policy is attached to. To learn how to format this value, see Attachment point.

• OPERATION_ID: The identifier for the operation. You receive this identifier in the response to your original request, as part of the operation name. Use the hexadecimal value at the end of the operation name. For example, 89cb3e508bf1ff01.

HTTP method and URL:

GET https://iam.googleapis.com/v2/policies/ENCODED_ATTACHMENT_POINT/operations/OPERATION_ID

To send your request, expand one of these options:

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://iam.googleapis.com/v2/policies/ENCODED_ATTACHMENT_POINT/operations/OPERATION_ID"

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `

    -Method GET `
    -Headers $headers `
    -Uri "https://iam.googleapis.com/v2/policies/ENCODED_ATTACHMENT_POINT/operations/OPERATION_ID" | Select-Object -Expand Content

Open the method reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Complete any required fields and click Execute.

You should receive a JSON response similar to the following:

{
  "name": "policies/cloudresourcemanager.googleapis.com%2Fprojects%2F1234567890123/denypolicies/my-policy/operations/89cb3e508bf1ff01",
  "done": true
}

If the operation's done field is not present, continue to monitor its status by getting the operation repeatedly. Use truncated exponential backoff to introduce a delay between each request. When the done field is set to true, the operation is complete, and you can stop getting the operation.

• Identify the permissions that are supported in deny policies.
• Get the format of principal identifiers in deny policies.
• Find out how to troubleshoot access issues with deny policies.
• Learn more about denying access to principals.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-07-02 UTC.

[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-07-02 UTC."],[[["Deny policies in Google Cloud IAM prevent specified principals from using certain permissions, overriding allow policies and ensuring specific access restrictions."],["These policies are managed at the organization, folder, or project level and can be configured through the Google Cloud console, gcloud CLI, or IAM `v2` REST API, and supports up to 500 rules per resource."],["Creating and updating deny policies requires defining deny rules, which include denied permissions, principals, exception principals, and optional conditions, using a defined policy ID."],["Managing deny policies involves listing, viewing, updating, and deleting them using the console, `gcloud` commands, client libraries (Go, Java, Node.js, Python), or REST API calls, often using long-running operations to track changes."],["Deny policies are attached to a specific resource (attachment point), use an `etag` for version control, and require appropriate permissions such as `Deny Reviewer` or `Deny Admin` roles for viewing or managing policies."]]],[]]

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4