Google Certified Associate Cloud Engineer 2020

Sign Up Free or Log In to participate!

Can IAM policies that are implemented higher in the resource hierarchy take away access that is granted by lower-level policies?

Can IAM policies that are implemented higher in the resource hierarchy take away access that is granted by lower-level policies?

2 Answers

If I understood your question – the scenario you saying is not possible because GCP resources inherit the Cloud IAM policies of their parent node..so you cant have child resource higher/exclusive permission than the one assigned to the parent resource . That is my understanding ,atleast

Mattias Andersson

👌👍

Ansh is correct: That is not possible.  In particular, access that is granted at one level (any level) cannot be revoked at any other level (neither higher nor lower).  A slide in the IAM Breakdown – Policies lecture notes:


Always additive ("Allow") and never subtractive (no "Deny")

It’s good to check that you understand things like this correctly. 👍

Mattias

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?