GCP Deny Policy
Deny Access to GCP resources via Deny policy
In GCP, Identity and Access Management (IAM) deny policies let you set guardrails on access to Google Cloud resources. With deny policies, you can define deny rules that prevent certain/all principals from using certain permissions, regardless of the roles they’re granted.
What is deny policy:
A deny policy is a collection of metadata and deny rules. A deny rule associates a set of principals with a set of permissions that the principals are denied, or unable to use. Each rule can also specify a condition that determines when the permission is denied.
Required Roles: To view, create, update, and delete deny policies: Deny Admin (roles/iam.denyAdmin).
Required API to Enable: Identity and Access Management (IAM) API.
Supported Tool for Deny Policy Creation: Creation of Deny Policy is possible via gcloud, terraform, REST, Programming languages(Python, Java, Go & NodeJs).
Deny policies contain deny rules, which specify the following:
- The permissions to deny. (API)
- The principals that are denied those permissions. (All Users, SA, AD, Individual User)
- Optional: Principals that are exempt from the denial of permissions. For example, you can deny a permission to a group, but exempt specific users who belong to that group.
- Optional: A condition expression that specifies when the principals cannot use the permissions. In deny policies, condition expressions can only use functions for resource tags — other functions and operators are not supported.
Deny policies are inherited through the resource hierarchy. For example, if you deny a permission at the organization level, that permission will also be denied on the folders and projects within that organization, and on the service-specific resources within each project.
NOTE: Deny policies override allow policies. If a principal is granted a role that contains a specific permission, but a deny policy says that the principal cannot use that permission, then the principal cannot use the permission.
Structure of a deny policy:
{
"displayName": "Deny Policy to create role",
"rules": [
{
"denyRule": {
"deniedPrincipals": [
"principalSet://goog/public:all"
],
"exceptionPrincipals": [
"principal://goog/subject/USER_EMAIL_ADDRESS"
],
"deniedPermissions": [
"iam.googleapis.com/roles.create"
]
}
}
]
}deniedPermissions: A list of permissions that the specified principals cannot use. The permissions must be supported in deny policies.(https://cloud.google.com/iam/docs/deny-permissions-support)
deniedPrincipals: A list of principals that cannot use the specified permissions. (https://cloud.google.com/iam/docs/principal-identifiers#v2)
e.g: For all Users: principalSet://goog/public:all
AD group: principalSet://goog/group/GROUP_EMAIL_ADDRESS
An Individual User: principal://goog/subject/USER_EMAIL_ADDRESS
Service Account: principal://iam.googleapis.com/projects/-/serviceAccounts/SA_EMAIL_ADDRESS
exceptionPrincipals: (Optional). A list of principals that can use the specified permissions, even if those principals are included in deniedPrincipals. For example, you can use this field to make an exception for specific users who belong to a denied group.
Create deny policy: The following command creates a deny policy named my-deny-policy for the organisation org-id, using a file named denypolicy.json
gcloud iam policies create my-deny-policy — attachment-point=cloudresourcemanager.googleapis.com/organizations/org-id — kind=denypolicies — policy-file=denypolicy.json
List deny policies: A resource can have up to 5 deny policies.
gcloud iam policies list — attachment-point=ATTACHMENT_POINT — kind=denypolicies — format=json
View a deny policy: You can view a deny policy to see the deny rules that it contains, including the permissions that are denied and the principals who cannot use those permissions.
gcloud iam policies get POLICY_ID — attachment-point=ATTACHMENT_POINT — kind=denypolicies — format=json
Delete a deny policy: If you no longer want to enforce the rules in a deny policy, you can delete the deny policy.
gcloud iam policies delete POLICY_ID — attachment-point=ATTACHMENT_POINT — kind=denypolicies
Terraform Code to create deny policy:
Below is terraform code to create a deny policy at organisation scope to deny all users to make API call “iam.googleapis.com/roles.create” with an exception principal.
resource "google_iam_deny_policy" "denypolicy" {
provider = google-beta
parent = urlencode("cloudresourcemanager.googleapis.com/organizations/org-id")
name = "my-deny-policy"
display_name = "my-deny-policy"
rules {
deny_rule {
denied_principals = ["principalSet://goog/public:all"]
exceptionPrincipals = ["principal://goog/subject/abc@gmail.com"]
denied_permissions = ["iam.googleapis.com/roles.create"]
}
}
}“terraform apply” to create the deny policy:
NOTE:
- Please note that IAM principal should have access to “Deny Admin” role separately. Even if IAM principal has OWNER or EDITOR or Organisation Admin Roles, they can’t create/modify/delete the Deny Policy.
- In general, policy changes take effect within 2 minutes. However, in some cases, it can take 7 minutes or more for changes to propagate across the system.
- At this moment, deny policy operations(create/get/delete/update) are only possible from the CLI/API (gcloud,terraform,REST,python,java), Nothing on the GCP console.
References:
