问题
Is there a way to deny permissions in GCP custom role? For example, this is a policy in AWS that denies a set of actions on S3: { "Sid": "DenyS3", "Effect": "Deny", "Action": "s3:Get*", "Resource": "*" } Is there a way to define a similar custom role in GCP?
回答1:
Is there a way to deny permissions in GCP custom role?
No, IAM roles are deny by default and are additive only.
How do i get permissions only on a specific image name?
The classic use case for IAM roles is to assign them to the Google Project. This is why a role grants you permission to all resources of that type for that role.
Google has started to release Identity based access control on resources. This means that you can attach an identity with roles to individual resources instead of to the project. For resources that support this, there is a right-hand side panel that allows you to set permissions.
回答2:
In google Cloud the roles are created based on the format
<service>.<resource>.<verb> which specify the exact role to be performed on Resource.
So if a custom role has to be created then you can either add above specific roles or completely omit them from the roles.
https://cloud.google.com/iam/docs/understanding-custom-roles
来源:https://stackoverflow.com/questions/58590455/gcp-equivalent-of-deny-permissions-in-aws-policy