How to Block Project Access for a Given User or Group in GCP

In Google Cloud Platform (GCP), you can control access to your projects with a combination of roles and policies. If you need to block project access to a GCP user or group, you need to update policies on the fly.

In this guide, we’ll show you how to make these permissions updates with both the GCP console and gCloud CLI tool.

How to Get All IAM Policies for a GCP Project

First, it can be helpful to get information on all the policies and roles associated with a certain project.

Using the Console:

1. Visit GCP console: https://console.cloud.google.com
2. Click on the Select a project button, and find the project or folder you want to view the IAM policies for.
3. Click on the navigation menu and select IAM and Admin.
4. In this section, you will be shown a list of every member/principal along with their respective project roles. Principals who inherited roles from parent resources are also shown on this list.
5. The details of a specific policy can be viewed by clicking on the member's name.
6. If you have a large number of policies, use the search feature to locate the one you are looking for.

Using the CLI:

Run the following get-iam-policy command to see all IAM policies:

gcloud RESOURCE_TYPE get-iam-policy <RESOURCE_ID> --<FORMAT>=format > PATH

• RESOURCE_TYPE: This is the type of resource you want to see, such as projects, folders, or organizations.
• RESOURCE_ID: It is the ID of the GCP project, folder, or organization you want to retrieve the IAM policies for. Project IDs are always alphanumeric, like this-project1. Meanwhile, organization and folder IDs are numeric, like 1231998.
• FORMAT: You can use yaml or json as your desired format.
• PATH:  It specifies the path to a new policy output file. In the following example, the policy for the project is obtained and saved in JSON format to your home directory

The final command would look like this:

gcloud projects get-iam-policy this-project1 --format=json > ~/policy.json

The output will be the IAM policy for the project you specified.

Checking if a Specific Principal Has a Certain Role

Next, you can check if a specific user or principal has access to this project and what roles they have.

Using the Console:

To check if a specific principal (e.g. a user, a group, a service account, etc.) has a particular role in a GCP, follow these steps:

1. Visit Google Cloud Console and select the project that you want to check.
2. Visit IAM & Admin from the hamburger menu.
3. Select the PERMISSIONS tab, and then click VIEW BY PRINCIPALS. In this tab, you will see a list of all the principals that have been granted roles in this project.
4. You will see Filter under the VIEW BY PRINCIPALS tab. Click on it and select Role from the menu. Next, choose Type and select the kind you are looking for, such as Service Account. Click enter and now the IAM console will show you principals with the Service Account role.

Using the gCloud CLI:

Follow these steps to check if a specific principal has a particular role in a GCP:

1. Run the projects list command using custom query filters to list the IDs of the projects in your GCP account. The command is:

gcloud projects list--format="table(projectId)"

After entering the command, you will get the project IDs you requested.

2. Now, use the get-iam-policy command with the GCP project ID you want to check to describe IAM policy in JSON format. The command:

gcloud projects get-iam-policy cc-project5-123123--format=json

The specified IAM policy should be returned like this:

{
  "bindings": [
    {
      "members": [
        "user:cloud.realisation@gmail.com"
      ],
      "role": "roles/editor"
    },
    {
      "members": [
        "user:cloud.conformity@gmail.com"
      ],
      "role": "roles/owner"
    },
    {
      "members": [
        "serviceAccount:cc-project5-service-account@cc-project5-123123.iam.gserviceaccount.com"
      ],
      "role": "roles/iam.serviceAccountTokenCreator"
    },
    {
      "members": [
        "serviceAccount:cc-project5-service-account@cc-project5-123123.iam.gserviceaccount.com"
      ],
      "role": "roles/iam.serviceAccountUser"
    }
  ],
  "etag": "abcdabcdabcd",
  "version": 1
}

Now, you can check each member’s role by its name, like an attribute, returned by this command.

Blink Automation: Block Access for a User or Group in GCP

Blink + GCP

Try This Automation

How To Remove the Principal from the IAM Policy Role Binding to Block Their Access

Using the Console:

Follow these steps to block GCP project access to a User or Group:

1. Go to the Google Cloud Console and select the project from which you want to remove the principal.
2. Go to the IAM & admin menu and select IAM.
3. Click on the PERMISSIONS tab, and select View by Principals to see every member's account made for the GCP project you have selected.
4. Find the role you want to delete from the selected member account, like Service Account User, or Service Account Token Creator on the Edit permissions panel. Once you have identified it, click on the delete icon (it is next to each role) to remove the role.
5. To save the changes, click SAVE. It will remove the principal from the IAM Policy Role Binding, and they will no longer have access to the project.

Using the gCloud CLI:

Follow these steps to block GCP project access:

1. Run projects get-iam-policy command using the GCP project ID you wish to reconfigure to find the IAM policy made for this project:

gcloud projects get-iam-policy cc-project5-123123--format=json

The output should return as:

{
  "bindings": [
    {
      "members": [
        "user:cloud.realisation@gmail.com"
      ],
      "role": "roles/editor"
    },
    {
      "members": [
        "user:cloud.conformity@gmail.com"
      ],
      "role": "roles/owner"
    },
    {
      "members": [
        "serviceAccount:cc-project5-service-account@cc-project5-123123.iam.gserviceaccount.com"
      ],
      "role": "roles/iam.serviceAccountTokenCreator"
    },
    {
      "members": [
        "serviceAccount:cc-project5-service-account@cc-project5-123123.iam.gserviceaccount.com"
      ],
      "role": "roles/iam.serviceAccountUser"
    }
  ],
  "etag": "abcdabcdabcd",
  "version": 1
}

2. Edit the policy that was returned at the previous step and delete the role binding with the name roles/iam.serviceAccountUser and roles/iam.serviceAccountTokenCreator for members made for the selected project.

3. Save the policy document as new-gcp-iam-policy.json in a JSON file:

 "bindings": [
    {
      "members": [
        "user:cloud.realisation@gmail.com"
      ],
      "role": "roles/editor"
    },
    {
      "members": [
        "user:cloud.conformity@gmail.com"
      ],
      "role": "roles/owner"
    }
  ],
  "etag": "abcdabcdabcd",
  "version": 1
}

4. Now, update the IAM policy by running set-iam-policy command with policy reconfigured at the previous step:

gcloud projects set-iam-policy cc-project5-123123 new-gcp-iam-policy.json

Now, you’ve blocked certain users from the roles they previously had.

Blocking Project Access with a Blink Automation

Taking the steps to remove someone’s access to a project is time-consuming, but there are circumstances where urgency is important. If someone’s account is compromised or if they may be exfiltrating data, you would want to quickly be able to block them until you have more information or have resolved an incident.

This automation in the Blink library enables team members to block access by inputting the specific user, role, and project.

When the automation runs, it does the following steps:

1. Gets all the IAM policies for the specified GCP project.
2. Checks if that user has the specified role.
3. Removes that user’s role from the IAM policy binding.

This automation on its own could save you some time, but you can also customize it and incorporate it into other workflows.

For example, you can set up an event trigger to run this automation as part of a response to security threats detected by EDR or DLP tools. With no-code actions, you can easily drag-and-drop approval steps and notifications into the canvas.

With Blink, you can build your own automation from scratch or use one of our 5K pre-built automations today.

Get started with Blink today to see how easy automation can be.