Reputation: 1992
GCP - IAM Restrict Delete access for Admin Role
In Google Cloud Platform for all services as common, Is it possible to provide Admin Access but without deleting access to any resources? So user or service-account can perform read, create, update operations but delete alone will be restricted.
Upvotes: 0
Views: 363
Answers (1)
Reputation: 81416
The quick answer is no.
For some resources create and update are delete operations. You must consider the resource and the data contained by the resource. For example, updating a Cloud Storage object with zero-length content effectively deletes the content of the object.
For most resources, you can create a custom role with specific permissions. However, not all permissions can be assigned to custom roles, which means you must use a predefined role.
Some resources support delete inhibit (Compute Engine, Cloud Storage), but not all do.
Some resources cannot be deleted (KMS key ring, resources, and versions).
You will need to analyze your requirements resource by resource.
Upvotes: 1
Related Questions
- In GCP, can I prevent deletion of a VM, created by me, by another user?
- GCP equivalent of "deny" permissions in aws policy
- Delete specific IAM user from all the roles in a project/org using CLI
- Find and Revoke User in GCP Project
- GCP API Keys Admin role
- Where and how to apply user permission and remove the config that makes any user able to access GCP?
- GCP: How to completely delete a custom role
- IAM Role to allow IAM users to create only VM Instances and Disk in GCP?
- Limiting access of a GCP Cloud IAM custom role only to a bucket
- Restrict delete GCE instance permission