This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Can't find service account delete tag binding permission in deny policy list

Posted on 02-03-2025 02:48 AM
jpcusp
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I want to deny a specific IAM user to do operation `iam.serviceAccounts.deleteTagBinding` using deny policy.

I cannot find that permission in the list. 

 

 

0 1 104
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
jamespatrickm
Staff
Reply posted on --/--/---- --:-- AM

Hi @jpcusp,

Welcome to Google Cloud Community!

Two ways I could think of on how to resolve this:

  • Remove broad IAM roles for the user (e.g. roles/iam.serviceAccountAdmin or others) to reduce their ability to perform delete tag bindings.
  • Or explicitly deny through Organization or Folder policy. Try looking into resource hierarchy policies (organization-level policies or folder-level policies) to restrict the user's actions based on broader IAM roles and permissions.

Please note that it is a best practice to ensure the user has the least privilege required for their role. This limits the scope of what the user can and cannot do.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

Top Labels in this Space
Top Solution Authors
View all