Stay organized with collectionsSave and categorize content based on your preferences.
After a principal has successfullyrequested a grantagainst an entitlement and it is active, principals with theprivilegedaccessmanager.grants.revokepermission
can revoke the grant. Grants that don't have an active status can't be revoked.
Select the organization, folder, or project you want to revoke grants in.
Click theGrantstab, followed by theGrants for all userstab.
This contains all grants across all requesters, the grant statuses, and
their associated entitlement details.
In the table, clickmore_vertMore optionsin the same row as a grant you want to revoke.
To revoke an active grant, clickRevoke grant.
To revoke all active grants made against an entitlement, complete the following
instructions:
Click theEntitlementstab, followed by theEntitlements for all userstab. Here you can find the available
entitlements, the roles they grant, and their valid requesters and
approvers.
In the table, clickmore_vertMore optionsin the same row as an entitlement you want to revoke the
grants for.
ClickRevoke all grants.
Revoke grants programmatically
gcloud
Thegcloud pam grants revokecommand revokes an active grant.
Before using any of the command data below,
make the following replacements:
GRANT_ID: The ID of the grant you want to revoke.
You can retrieve the ID byviewing grants.
ENTITLEMENT_ID: The ID of the entitlement that
the grant belongs to.
REVOKE_REASON: Why the grant has been revoked.
RESOURCE_TYPE: Optional. The resource type that
the entitlement belongs to. Use the valueorganization,folder, orproject.
RESOURCE_ID: Used withRESOURCE_TYPE. The ID of the Google Cloud
project, folder, or organization that you want to manage entitlements
for. Project IDs are alphanumeric strings, likemy-project.
Folder and organization IDs are numeric, like123456789012.
The Privileged Access Manager API'srevokeGrantmethod revokes an active grant.
Before using any of the request data,
make the following replacements:
SCOPE: The organization, folder, or project that
the entitlement is in, in the format oforganizations/ORGANIZATION_ID,folders/FOLDER_ID, orprojects/PROJECT_ID. Project IDs are
alphanumeric strings, likemy-project. Folder and
organization IDs are numeric, like123456789012.
ENTITLEMENT_ID: The ID of the entitlement that
the grant belongs to.
GRANT_ID: The ID of the grant you want to revoke.
You can retrieve the ID byviewing grants.
REVOKE_REASON: The reason the grant was revoked.
HTTP method and URL:
POST https://privilegedaccessmanager.googleapis.com/v1/SCOPE/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID:revoke
Request JSON body:
{
"reason": "REVOKE_REASON"
}
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Save the request body in a file namedrequest.json,
and execute the following command:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003ePrincipals with the \u003ccode\u003eprivilegedaccessmanager.grants.revoke\u003c/code\u003e permission can revoke active grants made against entitlements.\u003c/p\u003e\n"],["\u003cp\u003eGrants can be revoked through the Google Cloud console by navigating to the Privileged Access Manager page and selecting either "Revoke grant" for a specific grant or "Revoke all grants" for all active grants of an entitlement.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003egcloud pam grants revoke\u003c/code\u003e command can be used to programmatically revoke an active grant by providing the grant ID, entitlement ID, and a reason for revocation.\u003c/p\u003e\n"],["\u003cp\u003eThe Privileged Access Manager API's \u003ccode\u003erevokeGrant\u003c/code\u003e method allows for revoking an active grant via a POST request, including the scope, entitlement ID, grant ID, and reason for revocation.\u003c/p\u003e\n"],["\u003cp\u003eWhen revoking grants through the console or API, you must ensure that Privileged Access Manager is enabled and the relevant permissions are set up beforehand.\u003c/p\u003e\n"]]],[],null,["# Revoke grants in Privileged Access Manager\n\nAfter a principal has successfully [requested a grant](/iam/docs/pam-request-temporary-elevated-access)\nagainst an entitlement and it is active, principals with the\n`privilegedaccessmanager.grants.revoke` permission\ncan revoke the grant. Grants that don't have an active status can't be revoked.\n\nBefore you begin\n----------------\n\nMake sure you have [enabled Privileged Access Manager and set up permissions for it](/iam/docs/pam-permissions-and-setup).\n\nRevoke grants using the Google Cloud console\n--------------------------------------------\n\nTo revoke a specific grant made against an entitlement, complete the following\ninstructions:\n\n1. Go to the **Privileged Access Manager** page.\n\n [Go to Privileged Access Manager](https://console.cloud.google.com/iam-admin/pam/entitlements/)\n2. Select the organization, folder, or project you want to revoke grants in.\n\n3. Click the **Grants** tab, followed by the **Grants for all users** tab.\n This contains all grants across all requesters, the grant statuses, and\n their associated entitlement details.\n\n4. In the table, click more_vert\n **More options** in the same row as a grant you want to revoke.\n\n5. To revoke an active grant, click **Revoke grant**.\n\nTo revoke all active grants made against an entitlement, complete the following\ninstructions:\n\n1. Go to the **Privileged Access Manager** page.\n\n [Go to Privileged Access Manager](https://console.cloud.google.com/iam-admin/pam/entitlements/)\n2. Click the **Entitlements** tab, followed by the\n **Entitlements for all users** tab. Here you can find the available\n entitlements, the roles they grant, and their valid requesters and\n approvers.\n\n3. In the table, click more_vert\n **More options** in the same row as an entitlement you want to revoke the\n grants for.\n\n4. Click **Revoke all grants**.\n\nRevoke grants programmatically\n------------------------------\n\n### gcloud\n\n\nThe\n\n`gcloud pam grants revoke`\n\ncommand revokes an active grant.\n\n\nBefore using any of the command data below,\nmake the following replacements:\n\n- \u003cvar translate=\"no\"\u003eGRANT_ID\u003c/var\u003e: The ID of the grant you want to revoke. You can retrieve the ID by [viewing grants](/iam/docs/pam-view-grants).\n- \u003cvar translate=\"no\"\u003eENTITLEMENT_ID\u003c/var\u003e: The ID of the entitlement that the grant belongs to.\n- \u003cvar translate=\"no\"\u003eREVOKE_REASON\u003c/var\u003e: Why the grant has been revoked.\n- \u003cvar translate=\"no\"\u003eRESOURCE_TYPE\u003c/var\u003e: Optional. The resource type that the entitlement belongs to. Use the value `organization`, `folder`, or `project`.\n- \u003cvar translate=\"no\"\u003eRESOURCE_ID\u003c/var\u003e: Used with \u003cvar translate=\"no\"\u003e\u003ccode translate=\"no\" dir=\"ltr\"\u003eRESOURCE_TYPE\u003c/code\u003e\u003c/var\u003e. The ID of the Google Cloud project, folder, or organization that you want to manage entitlements for. Project IDs are alphanumeric strings, like `my-project`. Folder and organization IDs are numeric, like `123456789012`.\n\n\nExecute the\n\nfollowing\n\ncommand:\n\n#### Linux, macOS, or Cloud Shell\n\n```bash\ngcloud pam grants revoke \\\n GRANT_ID \\\n --entitlement=ENTITLEMENT_ID \\\n --reason=\"\u003cvar translate=\"no\"\u003eREVOKE_REASON\u003c/var\u003e\" \\\n --location=global \\\n --RESOURCE_TYPE=RESOURCE_ID\n```\n\n#### Windows (PowerShell)\n\n```bash\ngcloud pam grants revoke `\n GRANT_ID `\n --entitlement=ENTITLEMENT_ID `\n --reason=\"\u003cvar translate=\"no\"\u003eREVOKE_REASON\u003c/var\u003e\" `\n --location=global `\n --RESOURCE_TYPE=RESOURCE_ID\n```\n\n#### Windows (cmd.exe)\n\n```bash\ngcloud pam grants revoke ^\n GRANT_ID ^\n --entitlement=ENTITLEMENT_ID ^\n --reason=\"\u003cvar translate=\"no\"\u003eREVOKE_REASON\u003c/var\u003e\" ^\n --location=global ^\n --RESOURCE_TYPE=RESOURCE_ID\n```\n\nYou should receive a response similar to the following:\n\n```\nauditTrail:\n accessGrantTime: '2024-04-05T00:29:16.703069535Z'\n accessRemoveTime: '2024-04-05T00:29:55.815041079Z'\ncreateTime: '2024-04-05T00:27:43.822053968Z'\njustification:\n unstructuredJustification: Renaming a file to mitigate issue #312\nname: projects/my-project/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID\nprivilegedAccess:\n gcpIamAccess:\n resource: //cloudresourcemanager.googleapis.com/projects/my-project\n resourceType: cloudresourcemanager.googleapis.com/Project\n roleBindings:\n - role: roles/storage.admin\nrequestedDuration: 2700s\nrequester: cruz@example.com\nstate: REVOKED\ntimeline:\n events:\n - eventTime: '2024-04-05T00:27:44.014277946Z'\n requested:\n expireTime: '2024-04-06T00:27:44.014277946Z'\n - approved:\n actor: alex@example.com\n reason: Access allowed under existing policy\n eventTime: '2024-04-05T00:29:14.921828714Z'\n - eventTime: '2024-04-05T00:29:14.921763008Z'\n scheduled:\n scheduledActivationTime: '2024-04-05T00:29:14.921763008Z'\n - activated: {}\n eventTime: '2024-04-05T00:29:16.703069535Z'\n - eventTime: '2024-04-05T00:29:55.815041079Z'\n revoked:\n actor: alex@example.com\n reason: Revoking due to new access policy\n```\n\n### REST\n\n\nThe Privileged Access Manager API's\n`revokeGrant`\nmethod revokes an active grant.\n\n\nBefore using any of the request data,\nmake the following replacements:\n\n- \u003cvar translate=\"no\"\u003eSCOPE\u003c/var\u003e: The organization, folder, or project that the entitlement is in, in the format of `organizations/`\u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e, `folders/`\u003cvar translate=\"no\"\u003eFOLDER_ID\u003c/var\u003e, or `projects/`\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e. Project IDs are alphanumeric strings, like `my-project`. Folder and organization IDs are numeric, like `123456789012`.\n- \u003cvar translate=\"no\"\u003eENTITLEMENT_ID\u003c/var\u003e: The ID of the entitlement that the grant belongs to.\n- \u003cvar translate=\"no\"\u003eGRANT_ID\u003c/var\u003e: The ID of the grant you want to revoke. You can retrieve the ID by [viewing grants](/iam/docs/pam-view-grants).\n- \u003cvar translate=\"no\"\u003eREVOKE_REASON\u003c/var\u003e: The reason the grant was revoked.\n\n\nHTTP method and URL:\n\n```\nPOST https://privilegedaccessmanager.googleapis.com/v1/SCOPE/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID:revoke\n```\n\n\nRequest JSON body:\n\n```\n{\n \"reason\": \"REVOKE_REASON\"\n}\n```\n\nTo send your request, expand one of these options:\n\n#### curl (Linux, macOS, or Cloud Shell)\n\n| **Note:** The following command assumes that you have logged in to the `gcloud` CLI with your user account by running [`gcloud init`](/sdk/gcloud/reference/init) or [`gcloud auth login`](/sdk/gcloud/reference/auth/login) , or by using [Cloud Shell](/shell/docs), which automatically logs you into the `gcloud` CLI . You can check the currently active account by running [`gcloud auth list`](/sdk/gcloud/reference/auth/list).\n\n\nSave the request body in a file named `request.json`,\nand execute the following command:\n\n```\ncurl -X POST \\\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n -H \"Content-Type: application/json; charset=utf-8\" \\\n -d @request.json \\\n \"https://privilegedaccessmanager.googleapis.com/v1/SCOPE/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID:revoke\"\n```\n\n#### PowerShell (Windows)\n\n| **Note:** The following command assumes that you have logged in to the `gcloud` CLI with your user account by running [`gcloud init`](/sdk/gcloud/reference/init) or [`gcloud auth login`](/sdk/gcloud/reference/auth/login) . You can check the currently active account by running [`gcloud auth list`](/sdk/gcloud/reference/auth/list).\n\n\nSave the request body in a file named `request.json`,\nand execute the following command:\n\n```\n$cred = gcloud auth print-access-token\n$headers = @{ \"Authorization\" = \"Bearer $cred\" }\n\nInvoke-WebRequest `\n -Method POST `\n -Headers $headers `\n -ContentType: \"application/json; charset=utf-8\" `\n -InFile request.json `\n -Uri \"https://privilegedaccessmanager.googleapis.com/v1/SCOPE/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID:revoke\" | Select-Object -Expand Content\n```\n\nYou should receive a JSON response similar to the following:\n\n```\n{\n \"name\": \"projects/my-project/locations/global/operations/OPERATION_ID\",\n \"metadata\": {\n \"@type\": \"type.googleapis.com/google.cloud.privilegedaccessmanager.v1.OperationMetadata\",\n \"createTime\": \"2024-03-06T23:07:48.716396505Z\",\n \"target\": \"projects/my-project/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID\",\n \"verb\": \"update\",\n \"requestedCancellation\": false,\n \"apiVersion\": \"v1\"\n },\n \"done\": false\n}\n```\n\nTo check on the progress of a revoke operation, you can send a\n`GET` request to the following endpoint:\n\n```\nhttps://privilegedaccessmanager.googleapis.com/v1/SCOPE/locations/global/operations/OPERATION_ID\n```\n\nSend a `GET` request to the following endpoint to list all\noperations: \n\n```\nhttps://privilegedaccessmanager.googleapis.com/v1/SCOPE/locations/global/operations\n```"]]
