Delete a member from the IAM policy for a Cloud Storage bucket.
Explore further
For detailed documentation that includes this code sample, see the following:
Code sample
C++
For more information, see the Cloud Storage C++ API reference documentation .
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries .
namespace
gcs
=
::
google
::
cloud
::
storage
;
using
::
google
::
cloud
::
StatusOr
;
[](
gcs
::
Client
client
,
std
::
string
const
&
bucket_name
,
std
::
string
const
&
role
,
std
::
string
const
&
member
)
{
auto
policy
=
client
.
GetNativeBucketIamPolicy
(
bucket_name
,
gcs
::
RequestedPolicyVersion
(
3
));
if
(
!
policy
)
throw
std
::
move
(
policy
).
status
();
policy
-
> set_version
(
3
);
std
::
vector<google
::
cloud
::
storage
::
NativeIamBinding
>
updated_bindings
;
for
(
auto
&
binding
:
policy
-
> bindings
())
{
auto
&
members
=
binding
.
members
();
if
(
binding
.
role
()
==
role
&&
!
binding
.
has_condition
())
{
members
.
erase
(
std
::
remove
(
members
.
begin
(),
members
.
end
(),
member
),
members
.
end
());
}
if
(
!
members
.
empty
())
{
updated_bindings
.
emplace_back
(
std
::
move
(
binding
));
}
}
policy
-
> bindings
()
=
std
::
move
(
updated_bindings
);
auto
updated
=
client
.
SetNativeBucketIamPolicy
(
bucket_name
,
*
policy
);
if
(
!
updated
)
throw
std
::
move
(
updated
).
status
();
std
::
cout
<<
"Updated IAM policy bucket "
<<
bucket_name
<<
". The new policy is "
<<
*
updated
<<
"
\n
"
;
}
C#
For more information, see the Cloud Storage C# API reference documentation .
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries .
using
Google.Cloud.Storage.V1
;
using
System
;
using
System.Linq
;
public
class
RemoveBucketIamMemberSample
{
public
void
RemoveBucketIamMember
(
string
bucketName
=
"your-unique-bucket-name"
,
string
role
=
"roles/storage.objectViewer"
,
string
member
=
"serviceAccount:dev@iam.gserviceaccount.com"
)
{
var
storage
=
StorageClient
.
Create
();
var
policy
=
storage
.
GetBucketIamPolicy
(
bucketName
,
new
GetBucketIamPolicyOptions
{
RequestedPolicyVersion
=
3
});
// Set the policy schema version. For more information, please refer to https://cloud.google.com/iam/docs/policies#versions.
policy
.
Version
=
3
;
foreach
(
var
binding
in
policy
.
Bindings
.
Where
(
c
=
>
c
.
Role
==
role
).
ToList
())
{
// Remove the role/member combo from the IAM policy.
binding
.
Members
=
binding
.
Members
.
Where
(
m
=
>
m
!=
member
).
ToList
();
// Remove role if it contains no members.
if
(
binding
.
Members
.
Count
==
0
)
{
policy
.
Bindings
.
Remove
(
binding
);
}
}
// Set the modified IAM policy to be the current IAM policy.
storage
.
SetBucketIamPolicy
(
bucketName
,
policy
);
Console
.
WriteLine
(
$"Removed {member} with role {role} from {bucketName}"
);
}
}
Go
For more information, see the Cloud Storage Go API reference documentation .
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries .
import
(
"context"
"fmt"
"io"
"time"
"cloud.google.com/go/iam"
"cloud.google.com/go/storage"
)
// removeBucketIAMMember removes the bucket IAM member.
func
removeBucketIAMMember
(
w
io
.
Writer
,
bucketName
string
)
error
{
// bucketName := "bucket-name"
ctx
:=
context
.
Background
()
client
,
err
:=
storage
.
NewClient
(
ctx
)
if
err
!=
nil
{
return
fmt
.
Errorf
(
"storage.NewClient: %w"
,
err
)
}
defer
client
.
Close
()
ctx
,
cancel
:=
context
.
WithTimeout
(
ctx
,
time
.
Second
*
10
)
defer
cancel
()
bucket
:=
client
.
Bucket
(
bucketName
)
policy
,
err
:=
bucket
.
IAM
().
Policy
(
ctx
)
if
err
!=
nil
{
return
fmt
.
Errorf
(
"Bucket(%q).IAM().Policy: %w"
,
bucketName
,
err
)
}
// Other valid prefixes are "serviceAccount:", "user:"
// See the documentation for more values.
// https://cloud.google.com/storage/docs/access-control/iam
// member string, role iam.RoleName
identity
:=
"group:cloud-logs@google.com"
var
role
iam
.
RoleName
=
"roles/storage.objectViewer"
policy
.
Remove
(
identity
,
role
)
if
err
:=
bucket
.
IAM
().
SetPolicy
(
ctx
,
policy
);
err
!=
nil
{
return
fmt
.
Errorf
(
"Bucket(%q).IAM().SetPolicy: %w"
,
bucketName
,
err
)
}
// NOTE: It may be necessary to retry this operation if IAM policies are
// being modified concurrently. SetPolicy will return an error if the policy
// was modified since it was retrieved.
fmt
.
Fprintf
(
w
,
"Removed %v with role %v from %v\n"
,
identity
,
role
,
bucketName
)
return
nil
}
Java
For more information, see the Cloud Storage Java API reference documentation .
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries .
import
com.google.cloud. Binding
;
import
com.google.cloud. Policy
;
import
com.google.cloud.storage. Storage
;
import
com.google.cloud.storage. StorageOptions
;
import
java.util.ArrayList
;
import
java.util.List
;
public
class
RemoveBucketIamMember
{
public
static
void
removeBucketIamMember
(
String
projectId
,
String
bucketName
)
{
// The ID of your GCP project
// String projectId = "your-project-id";
// The ID of your GCS bucket
// String bucketName = "your-unique-bucket-name";
// For more information please read:
// https://cloud.google.com/storage/docs/access-control/iam
Storage
storage
=
StorageOptions
.
newBuilder
().
setProjectId
(
projectId
).
build
().
getService
();
Policy
originalPolicy
=
storage
.
getIamPolicy
(
bucketName
,
Storage
.
BucketSourceOption
.
requestedPolicyVersion
(
3
));
String
role
=
"roles/storage.objectViewer"
;
String
member
=
"group:example@google.com"
;
// getBindingsList() returns an ImmutableList and copying over to an ArrayList so it's mutable.
List<Binding>
bindings
=
new
ArrayList
(
originalPolicy
.
getBindingsList
());
// Remove role-member binding without a condition.
for
(
int
index
=
0
;
index
<
bindings
.
size
();
index
++
)
{
Binding
binding
=
bindings
.
get
(
index
);
boolean
foundRole
=
binding
.
getRole
().
equals
(
role
);
boolean
foundMember
=
binding
.
getMembers
().
contains
(
member
);
boolean
bindingIsNotConditional
=
binding
.
getCondition
()
==
null
;
if
(
foundRole
&&
foundMember
&&
bindingIsNotConditional
)
{
bindings
.
set
(
index
,
binding
.
toBuilder
().
removeMembers
(
member
).
build
());
break
;
}
}
// Update policy to remove member
Policy
.
Builder
updatedPolicyBuilder
=
originalPolicy
.
toBuilder
();
updatedPolicyBuilder
.
setBindings
(
bindings
).
setVersion
(
3
);
Policy
updatedPolicy
=
storage
.
setIamPolicy
(
bucketName
,
updatedPolicyBuilder
.
build
());
System
.
out
.
printf
(
"Removed %s with role %s from %s\n"
,
member
,
role
,
bucketName
);
}
}
Node.js
For more information, see the Cloud Storage Node.js API reference documentation .
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries .
/**
* TODO(developer): Uncomment the following lines before running the sample.
*/
// The ID of your GCS bucket
// const bucketName = 'your-unique-bucket-name';
// The role to revoke
// const roleName = 'roles/storage.objectViewer';
// The members to revoke the roles from
// const members = [
// 'user:jdoe@example.com',
// 'group:admins@example.com',
// ];
// Imports the Google Cloud client library
const
{
Storage
}
=
require
(
' @google-cloud/storage
'
);
// Creates a client
const
storage
=
new
Storage
();
async
function
removeBucketIamMember
()
{
// Get a reference to a Google Cloud Storage bucket
const
bucket
=
storage
.
bucket
(
bucketName
);
// For more information please read:
// https://cloud.google.com/storage/docs/access-control/iam
const
[
policy
]
=
await
bucket
.
iam
.
getPolicy
({
requestedPolicyVersion
:
3
});
// Finds and updates the appropriate role-member group, without a condition.
const
index
=
policy
.
bindings
.
findIndex
(
binding
=
>
binding
.
role
===
roleName
&&
!
binding
.
condition
);
const
role
=
policy
.
bindings
[
index
];
if
(
role
)
{
role
.
members
=
role
.
members
.
filter
(
member
=
>
members
.
indexOf
(
member
)
===
-
1
);
// Updates the policy object with the new (or empty) role-member group
if
(
role
.
members
.
length
===
0
)
{
policy
.
bindings
.
splice
(
index
,
1
);
}
else
{
policy
.
bindings
.
index
=
role
;
}
// Updates the bucket's IAM policy
await
bucket
.
iam
.
setPolicy
(
policy
);
}
else
{
// No matching role-member group(s) were found
throw
new
Error
(
'No matching role-member group(s) found.'
);
}
console
.
log
(
`Removed the following member(s) with role
${
roleName
}
from
${
bucketName
}
:`
);
members
.
forEach
(
member
=
>
{
console
.
log
(
`
${
member
}
`
);
});
}
removeBucketIamMember
().
catch
(
console
.
error
);
PHP
For more information, see the Cloud Storage PHP API reference documentation .
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries .
use Google\Cloud\Storage\StorageClient;
/**
* Removes a member / role IAM pair from a given Cloud Storage bucket.
*
* @param string $bucketName The name of your Cloud Storage bucket.
* (e.g. 'my-bucket')
* @param string $role The role from which the specified member should be removed.
* (e.g. 'roles/storage.objectViewer')
* @param string $member The member to be removed from the specified role.
* (e.g. 'group:example@google.com')
*/
function remove_bucket_iam_member(string $bucketName, string $role, string $member): void
{
$storage = new StorageClient();
$bucket = $storage->bucket($bucketName);
$iam = $bucket->iam();
$policy = $iam->policy(['requestedPolicyVersion' => 3]);
$policy['version'] = 3;
foreach ($policy['bindings'] as $i => $binding) {
// This example only removes member from bindings without a condition.
if ($binding['role'] == $role && !isset($binding['condition'])) {
$key = array_search($member, $binding['members']);
if ($key !== false) {
unset($binding['members'][$key]);
// If the last member is removed from the binding, clean up the
// binding.
if (count($binding['members']) == 0) {
unset($policy['bindings'][$i]);
// Ensure array keys are sequential, otherwise JSON encodes
// the array as an object, which fails when calling the API.
$policy['bindings'] = array_values($policy['bindings']);
} else {
// Ensure array keys are sequential, otherwise JSON encodes
// the array as an object, which fails when calling the API.
$binding['members'] = array_values($binding['members']);
$policy['bindings'][$i] = $binding;
}
$iam->setPolicy($policy);
printf('User %s removed from role %s for bucket %s' . PHP_EOL, $member, $role, $bucketName);
return;
}
}
}
throw new \RuntimeException('No matching role-member group(s) found.');
}
Python
For more information, see the Cloud Storage Python API reference documentation .
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries .
from
google.cloud
import
storage
def
remove_bucket_iam_member
(
bucket_name
,
role
,
member
):
"""Remove member from bucket IAM Policy"""
# bucket_name = "your-bucket-name"
# role = "IAM role, e.g. roles/storage.objectViewer"
# member = "IAM identity, e.g. user: name@example.com"
storage_client
=
storage
.
Client
()
bucket
=
storage_client
.
bucket
(
bucket_name
)
policy
=
bucket
.
get_iam_policy
(
requested_policy_version
=
3
)
for
binding
in
policy
.
bindings
:
print
(
binding
)
if
binding
[
"role"
]
==
role
and
binding
.
get
(
"condition"
)
is
None
:
binding
[
"members"
]
.
discard
(
member
)
bucket
.
set_iam_policy
(
policy
)
print
(
f
"Removed
{
member
}
with role
{
role
}
from
{
bucket_name
}
."
)
Ruby
For more information, see the Cloud Storage Ruby API reference documentation .
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries .
def
remove_bucket_iam_member
bucket_name
:
# The ID of your GCS bucket
# bucket_name = "your-unique-bucket-name"
# For more information please read: https://cloud.google.com/storage/docs/access-control/iam
require
"google/cloud/storage"
storage
=
Google
::
Cloud
::
Storage
.
new
bucket
=
storage
.
bucket
bucket_name
role
=
"roles/storage.objectViewer"
member
=
"group:example@google.com"
bucket
.
policy
requested_policy_version
:
3
do
|
policy
|
policy
.
bindings
.
each
do
|
binding
|
if
binding
.
role
==
role
&&
binding
.
condition
.
nil?
binding
.
members
.
delete
member
end
end
end
puts
"Removed
#{
member
}
with role
#{
role
}
from
#{
bucket_name
}
"
end
What's next
To search and filter code samples for other Google Cloud products, see the Google Cloud sample browser .
