How to Block Project Access for a Given User or Group in GCP
If you are dealing with a security event, you may want to block a user or group's access to a GCP project. In this guide, we'll show you how to block access using the GCP Console and CLI.
Mar 13, 2023
Share this post
In Google Cloud Platform (GCP), you can control access to your projects with a combination of roles and policies. If you need to block project access to a GCP user or group, you need to update policies on the fly.
In this guide, we’ll show you how to make these permissions updates with both the GCP console and gCloud CLI tool.
How to Get All IAM Policies for a GCP Project
First, it can be helpful to get information on all the policies and roles associated with a certain project.
RESOURCE_TYPE: This is the type of resource you want to see, such as projects, folders, or organizations.
RESOURCE_ID: It is the ID of the GCP project, folder, or organization you want to retrieve the IAM policies for. Project IDs are always alphanumeric, like this-project1. Meanwhile, organization and folder IDs are numeric, like 1231998.
FORMAT: You can use yaml or json as your desired format.
PATH: It specifies the path to a new policy output file. In the following example, the policy for the project is obtained and saved in JSON format to your home directory
Select the PERMISSIONS tab, and then click VIEW BY PRINCIPALS. In this tab, you will see a list of all the principals that have been granted roles in this project.
You will see Filter under the VIEW BY PRINCIPALS tab. Click on it and select Role from the menu. Next, choose Type and select the kind you are looking for, such as Service Account. Click enter and now the IAM console will show you principals with the Service Account role.
Using the gCloud CLI:
Follow these steps to check if a specific principal has a particular role in a GCP:
Run the projects list command using custom query filters to list the IDs of the projects in your GCP account. The command is:
gcloud projects list--format="table(projectId)"
After entering the command, you will get the project IDs you requested.
Now, use the get-iam-policy command with the GCP project ID you want to check to describe IAM policy in JSON format. The command:
Click on the PERMISSIONS tab, and select View by Principals to see every member's account made for the GCP project you have selected.
Find the role you want to delete from the selected member account, like Service Account User, or Service Account Token Creator on the Edit permissions panel. Once you have identified it, click on the delete icon (it is next to each role) to remove the role.
To save the changes, click SAVE. It will remove the principal from the IAM Policy Role Binding, and they will no longer have access to the project.
Using the gCloud CLI:
Follow these steps to block GCP project access:
Run projects get-iam-policy command using the GCP project ID you wish to reconfigure to find the IAM policy made for this project:
Edit the policy that was returned at the previous step and delete the role binding with the name roles/iam.serviceAccountUser and roles/iam.serviceAccountTokenCreator for members made for the selected project.
Save the policy document as new-gcp-iam-policy.json in a JSON file:
Now, you’ve blocked certain users from the roles they previously had.
Blocking Project Access with a Blink Automation
Taking the steps to remove someone’s access to a project is time-consuming, but there are circumstances where urgency is important. If someone’s account is compromised or if they may be exfiltrating data, you would want to quickly be able to block them until you have more information or have resolved an incident.
This automation in the Blink library enables team members to block access by inputting the specific user, role, and project.
When the automation runs, it does the following steps:
Gets all the IAM policies for the specified GCP project.
Checks if that user has the specified role.
Removes that user’s role from the IAM policy binding.
This automation on its own could save you some time, but you can also customize it and incorporate it into other workflows.
For example, you can set up an event trigger to run this automation as part of a response to security threats detected by EDR or DLP tools. With no-code actions, you can easily drag-and-drop approval steps and notifications into the canvas.
With Blink, you can build your own automation from scratch or use one of our 5K pre-built automations today.