Withdraw grants

Requesters can withdraw their grant requests that are pending approval, or end their active grants when their privileged task is complete or when the access is no longer required.

Withdraw your grants

Console

Go to the Privileged Access Managerpage.

Go to Privileged Access Manager
Select the organization, folder, or project that you want to withdraw grants from.
Click the Grantstab, followed by the My grantstab. This lists your grants with grant statuses and their associated entitlement details.
In the table, click More optionsfor the grant that you want to withdraw, and click Withdraw.
To confirm, click Withdrawagain.

gcloud

The gcloud alpha pam grants withdraw command withdraws a grant.

Before using any of the command data below, make the following replacements:

ENTITLEMENT_ID : The ID of the entitlement that the grant belongs to.
GRANT_ID : The ID of the grant you want to withdraw. You can retrieve the ID by viewing grants .
RESOURCE_TYPE : Optional. The resource type that the entitlement belongs to. Use the value organization , folder , or project .
RESOURCE_ID : Used with RESOURCE_TYPE . The ID of the Google Cloud project, folder, or organization that you want to manage entitlements for. Project IDs are alphanumeric strings, like my-project . Folder and organization IDs are numeric, like 123456789012 .

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud  
alpha  
pam  
grants  
withdraw  
 \ 
  
 GRANT_ID 
  
 \ 
  
--entitlement = 
 ENTITLEMENT_ID 
  
 \ 
  
--location = 
global  
 \ 
  
-- RESOURCE_TYPE 
 = 
 RESOURCE_ID

Windows (PowerShell)

gcloud  
alpha  
pam  
grants  
withdraw  
 ` 
  
 GRANT_ID 
  
 ` 
  
--entitlement = 
 ENTITLEMENT_ID 
  
 ` 
  
--location = 
global  
 ` 
  
-- RESOURCE_TYPE 
 = 
 RESOURCE_ID

Windows (cmd.exe)

gcloud  
alpha  
pam  
grants  
withdraw  
^  
 GRANT_ID 
  
^  
--entitlement = 
 ENTITLEMENT_ID 
  
^  
--location = 
global  
^  
-- RESOURCE_TYPE 
 = 
 RESOURCE_ID

You should receive a response similar to the following:

Parsed [grant] resource: RESOURCE_TYPE 
/ RESOURCE_ID 
/locations/global/entitlements/ ENTITLEMENT_ID 
/grants/ GRANT_ID 
Grant withdrawal initiated. The operation will complete in some time.
To track its status, run:
`gcloud alpha pam operations wait RESOURCE_TYPE 
/ RESOURCE_ID 
/locations/global/operations/ OPERATION_ID 
`
Note that the wait command requires you to have the `privilegedaccessmanager.operations.get` permission on the resource.
metadata:
  apiVersion: v1
  createTime: '2024-08-20T10:10:10.101010101Z'
  target: RESOURCE_TYPE 
/ RESOURCE_ID 
/locations/global/entitlements/ ENTITLEMENT_ID 
/grants/ GRANT_ID 
name: RESOURCE_TYPE 
/ RESOURCE_ID 
/locations/global/operations/ OPERATION_ID

REST

The Privileged Access Manager API's withdrawGrant method withdraws a grant.

Before using any of the request data, make the following replacements:

SCOPE : The organization, folder, or project that the entitlement is in, in the format of organizations/ ORGANIZATION_ID , folders/ FOLDER_ID , or projects/ PROJECT_ID . Project IDs are alphanumeric strings, like my-project . Folder and organization IDs are numeric, like 123456789012 .
ENTITLEMENT_ID : The ID of the entitlement that the grant belongs to.
GRANT_ID : The ID of the grant you want to withdraw. You can retrieve the ID by viewing grants .

HTTP method and URL:

POST https://privilegedaccessmanager.googleapis.com/v1beta/ SCOPE 
/locations/global/entitlements/ ENTITLEMENT_ID 
/grants/ GRANT_ID 
:withdraw

Request JSON body:

{
}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell , which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list .

Save the request body in a file named request.json , and execute the following command:

curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://privilegedaccessmanager.googleapis.com/v1beta/ SCOPE 
/locations/global/entitlements/ ENTITLEMENT_ID 
/grants/ GRANT_ID 
:withdraw"

PowerShell (Windows)

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list .

Save the request body in a file named request.json , and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://privilegedaccessmanager.googleapis.com/v1beta/ SCOPE 
/locations/global/entitlements/ ENTITLEMENT_ID 
/grants/ GRANT_ID 
:withdraw" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
  "name": " SCOPE 
/locations/global/operations/ OPERATION_ID 
",
  "metadata": {
    "@type": "type.googleapis.com/google.cloud.privilegedaccessmanager.v1beta.OperationMetadata",
    "createTime": "2024-03-06T23:07:48.716396505Z",
    "target": " SCOPE 
/locations/global/entitlements/ ENTITLEMENT_ID 
/grants/ GRANT_ID 
",
    "verb": "update",
    "requestedCancellation": false,
    "apiVersion": "v1beta"
  },
  "done": false
}

Withdraw grants Stay organized with collections Save and categorize content based on your preferences.

Withdraw your grants

Console

gcloud

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

REST

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

Withdraw grants