Is there a way to deny permissions in GCP custom role? For example, this is a policy in AWS that denies a set of actions on S3: { "Sid": "DenyS3", "Effect": "Deny", "Action": "s3:Get*", "Resource": "*" } Is there a way to define a similar custom role in GCP?
In preview circa 2022, yes. But it isn't intended to be used the same way.
You can deny a principal from ever using storage.googleapis.com/buckets.get but currently this is not for specific resources and these "deny policies" are attached at the project, folder or organisation level, again not to resources. These are not "IAM policies"/"Allow policies" which are the typical approach and are additive only.
Check the subset of permissions that support deny too.
https://cloud.google.com/iam/docs/deny-access
{
"displayName": "My deny policy.",
"rules": [
{
"denyRule": {
"deniedPrincipals": [
"principal://goog/subject/lucian@example.com"
],
"deniedPermissions": [
"iam.googleapis.com/roles.create"
]
}
}
]
}