Remove principal access boundary policies

Principal access boundary (PAB) policies let you limit the resources that a set of principals are eligible to access. If you no longer want a principal access boundary policy to be enforced for a principal set, you can delete the policy binding that binds the policy to the principal set. If you want to remove a principal access boundary policy from all principal sets that it's bound to, you can delete the policy.

Removing a principal access boundary policy from a principal set has one of the following effects:

  • If the principals in the principal set aren't subject to any other principal access boundary policies, then they will be eligible to access all Google Cloud resources.
  • If the principals in the principal set are subject to other principal access boundary policies, then they will only be eligible to access the resources in those policies.

Before you begin

  • Set up authentication.

    Select the tab for how you plan to use the samples on this page:

    gcloud

    In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

    At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

    REST

    To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.

      Install the Google Cloud CLI, then initialize it by running the following command: 

      gcloud init

    For more information, see Authenticate for using REST in the Google Cloud authentication documentation.

  • Read the overview of principal access boundary policies.

Roles required to delete principal access boundary policies

To get the permissions that you need to Delete principal access boundary policies, ask your administrator to grant you the Principal Access Boundary Admin (roles/iam.principalAccessBoundaryAdmin) IAM role on your organization. For more information about granting roles, see Manage access.

You might also be able to get the required permissions through custom roles or other predefined roles.

Roles required to delete principal access boundary policy bindings

The permissions that you need in order to delete policy bindings for principal access boundary policies depends on the principal set that's bound to the policy.

To get the permissions that you need to delete policy bindings for principal access boundary policies, ask your administrator to grant you the following IAM roles:

  • Principal Access Boundary User (roles/iam.principalAccessBoundaryUser) on your organization
  • Delete policy bindings for principal access boundary policies bound to Workforce Identity Federation pools: IAM Workforce Pool Admin (roles/iam.workforcePoolAdmin) on the target Workforce Identity Federation pool
  • Delete policy bindings for principal access boundary policies bound to Workload Identity Federation pools: IAM Workload Identity Pool Admin (roles/iam.workloadIdentityPoolAdmin) on the project that owns the target Workforce Identity Federation pool
  • Delete policy bindings for principal access boundary policies bound to a Google Workspace domain: Workspace Pool IAM Admin (roles/iam.workspacePoolAdmin) on the organization
  • Delete policy bindings for principal access boundary policies bound to a project's principal set: Project IAM Admin (roles/resourcemanager.projectIamAdmin) on the project
  • Delete policy bindings for principal access boundary policies bound to a folder's principal set: Folder IAM Admin (roles/resourcemanager.folderIamAdmin) on the folder
  • Delete policy bindings for principal access boundary policies bound to an organization's principal set: Organization Administrator (roles/resourcemanager.organizationAdmin) on the organization

For more information about granting roles, see Manage access.

You might also be able to get the required permissions through custom roles or other predefined roles.

Remove a principal access boundary policy from a principal set

To remove a principal access boundary policy from a principal set, delete the policy binding that binds the policy to the principal set.

You can delete a policy binding using the Google Cloud console, the gcloud CLI, or the IAM REST API.

Console

  1. In the Google Cloud console, go to the Principal Access Boundary policies page.

    Go to Principal Access Boundary policies

  2. Select the organization that owns the principal access boundary policy whose binding you want to delete.

  3. Click the policy ID of the principal access boundary policy whose bindings you want to delete.

  4. Click the Bindings tab.

  5. Find the ID of the binding that you want to delete. In that binding's row, click Actions, then click Delete binding.

  6. In the confirmation dialog, click Delete.

gcloud

The gcloud beta iam policy-bindings delete command deletes a policy binding.

Before using any of the command data below, make the following replacements:

  • BINDING_ID: The ID of the policy binding that you want to delete—for example, example-binding.

  • RESOURCE_TYPE: The type of the Resource Manager resource (project, folder, or organization) that the policy binding is a child of. Use the value project, folder, or organization

    The resource type depends on the principal set in the policy binding. To see which resource type to use, see Supported principal types.

  • RESOURCE_ID: The ID of the project, folder, or organization that the policy binding is a child of. Project IDs are alphanumeric strings, like my-project. Folder and organization IDs are numeric, like 123456789012.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud beta iam policy-bindings delete BINDING_ID \
    --RESOURCE_TYPE=RESOURCE_ID --location=global

Windows (PowerShell)

gcloud beta iam policy-bindings delete BINDING_ID `
    --RESOURCE_TYPE=RESOURCE_ID --location=global

Windows (cmd.exe)

gcloud beta iam policy-bindings delete BINDING_ID ^
    --RESOURCE_TYPE=RESOURCE_ID --location=global

The response contains a long-running operation representing your request.

Delete request issued for: [example-binding]
Waiting for operation [organizations/123456789012/locations/global/operations/operation-1715374724030-6181fcd1520c5-d21b0a12-b704e1ce] to complete...done.
Deleted policyBinding [example-binding].

REST

The policyBindings.delete method deletes a policy binding.

Before using any of the request data, make the following replacements:

  • RESOURCE_TYPE: The type of the Resource Manager resource (project, folder, or organization) that the policy binding is a child of. Use the value projects, folders, or organizations

    The resource type depends on the principal set in the policy binding. To see which resource type to use, see Supported principal types.

  • RESOURCE_ID: The ID of the project, folder, or organization that the policy binding is a child of. Project IDs are alphanumeric strings, like my-project. Folder and organization IDs are numeric, like 123456789012.
  • BINDING_ID: The ID of the policy binding that you want to delete—for example, example-binding.

HTTP method and URL: 

DELETE https://iam.googleapis.com/v3beta/RESOURCE_TYPE/RESOURCE_ID/locations/global/policyBindings/BINDING_ID

To send your request, expand one of these options:

The response contains a long-running operation representing your request.

{
  "name": "organizations/123456789012/locations/global/operations/operation-1715373190994-6181f71b4daad-6d8168c1-13cc6600",
  "metadata": {
    "@type": "type.googleapis.com/google.iam.v3beta.OperationMetadata",
    "createTime": "2024-05-10T20:33:11.165728913Z",
    "target": "organizations/123456789012/locations/global/policyBindings/example-binding",
    "verb": "delete",
    "requestedCancellation": false,
    "apiVersion": "v3beta"
  },
  "done": false
}

Remove a principal access boundary policy from all principal sets

To remove a principal access boundary policy from all of the principal sets that it's bound to, delete the principal access boundary policy. Deleting the principal access boundary policy also deletes all policy bindings that reference the policy.

You can delete a principal access boundary policy using the Google Cloud console, the gcloud CLI, or the IAM REST API.

Console

  1. In the Google Cloud console, go to the Principal Access Boundary policies page.

    Go to Principal Access Boundary policies

  2. Select the organization that owns the principal access boundary policy whose binding you want to delete.

  3. Find the ID of the policy that you want to delete. In that policy's row, click Actions, then click Delete policy.

  4. In the confirmation dialog, confirm that you want to delete the policy:

    • To delete the policy only if the policy doesn't have any bindings associated with it, click Delete.
    • To delete the policy and all associated bindings, select the Forcefully delete policy checkbox, then click Delete.

gcloud

The gcloud iam gcloud beta iam principal-access-boundary-policies delete command deletes a principal access boundary policy and all associated bindings.

Before using any of the command data below, make the following replacements:

  • PAB_POLICY_ID: The ID of the principal access boundary policy that you want to delete—for example, example-policy.
  • ORG_ID: The ID of the organization that owns the principal access boundary policy. Organization IDs are numeric, like 123456789012.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud beta iam principal-access-boundary-policies delete PAB_POLICY_ID \
    --organization=ORG_ID --location=global

Windows (PowerShell)

gcloud beta iam principal-access-boundary-policies delete PAB_POLICY_ID `
    --organization=ORG_ID --location=global

Windows (cmd.exe)

gcloud beta iam principal-access-boundary-policies delete PAB_POLICY_ID ^
    --organization=ORG_ID --location=global

The response contains a long-running operation representing your request.

Delete request issued for: [example-policy]
Waiting for operation [organizations/123456789012/locations/global/operations/operation-1715374811191-6181fd2471ab4-f0947406-85778c43] to complete...
Waiting for operation [organizations/123456789012/locations/global/operations/operation-1715374811191-6181fd2471ab4-f0947406-85778c43] to complete...done.
Deleted principalAccessBoundaryPolicy [example-policy].

REST

The principalAccessBoundaryPolicies.delete method deletes a principal access boundary policy and all associated bindings.

Before using any of the request data, make the following replacements:

  • ORG_ID: The ID of the organization that owns the principal access boundary policy. Organization IDs are numeric, like 123456789012.
  • PAB_POLICY_ID: The ID of the principal access boundary policy that you want to delete—for example, example-policy.

HTTP method and URL: 

DELETE https://iam.googleapis.com/v3beta/organizations/ORG_ID/locations/global/principalAccessBoundaryPolicies/PAB_POLICY_ID

To send your request, expand one of these options:

The response contains a long-running operation representing your request.

{
  "name": "organizations/123456789012/locations/global/operations/operation-1715373190994-6181f71b4daad-6d8168c1-13cc6600",
  "metadata": {
    "@type": "type.googleapis.com/google.iam.v3beta.OperationMetadata",
    "createTime": "2024-05-10T20:33:11.165728913Z",
    "target": "organizations/123456789012/locations/global/policyBindings/example-policy",
    "verb": "delete",
    "requestedCancellation": false,
    "apiVersion": "v3beta"
  },
  "done": false
}

What's next