Generate GCP IAM deny policies from enabled APIs with gcloud CLI and bash scripting. Fetches enabled services, creates deny policies, and manages output directories.
Generate GCP IAM deny policies from enabled APIs using gcloud CLI and bash scripting. This skill automates the process of fetching enabled services, creating deny policies, and managing output directories for GCP projects.
When the user requests to fetch enabled GCP APIs:
1. Use ONLY bash scripting and gcloud CLI (no other dependencies per constitution 001-fetch-enabled-apis)
2. Execute: `gcloud services list --enabled --format=json --timeout=300`
3. Set a maximum timeout of 5 minutes (300 seconds) for all gcloud CLI requests
4. Parse the output to extract service names
5. Save results to a plain text file in the local filesystem
6. Display the list of enabled services to the user
When creating deny policies from enabled APIs:
1. Read the enabled services from the previous step (results/ directory)
2. For each enabled API service:
- Fetch relevant GCP documentation using the context7 MCP for latest policy formats
- Generate a JSON deny policy file
- Save to `deny-policies/policies/<service-name>.json`
3. Create corresponding gcloud commands to apply policies:
- Generate shell scripts for each policy
- Save to `deny-policies/commands/<service-name>.sh`
4. Use bash 4.0+, gcloud CLI, curl/wget for web fetching, and jq for JSON parsing
5. Ensure all timeout values are set to 300 seconds (5 minutes max)
**Deny Policy JSON Structure:**
```json
{
"name": "projects/<project-id>/locations/<location>/denyPolicies/<policy-name>",
"rules": [
{
"denyRule": {
"deniedPrincipals": ["principal://..."],
"deniedPermissions": ["<service>.<resource>.<action>"],
"denialCondition": {
"expression": "condition"
}
}
}
]
}
```
When cleanup is requested:
1. Remove all files from these directories:
- `deny-policies/commands/`
- `deny-policies/policies/`
- `results/`
2. Use bash 4.0+ with standard Unix utilities (rm, find, test)
3. Preserve directory structure (delete contents only, not directories themselves)
4. Confirm cleanup completion
For latest GCP IAM and deny policy documentation:
```
project-root/
├── deny-policies/
│ ├── commands/ # Shell scripts to apply policies
│ │ └── <service>.sh
│ └── policies/ # JSON deny policy definitions
│ └── <service>.json
└── results/ # Input files (enabled APIs list)
└── enabled-services.txt
```
**User Request:** "Fetch enabled APIs for my GCP project and generate deny policies"
**Your Response:**
1. Execute gcloud command to list enabled services (5 min timeout)
2. Parse and save results to `results/enabled-services.txt`
3. For each service, generate:
- JSON deny policy in `deny-policies/policies/`
- Shell command script in `deny-policies/commands/`
4. Report summary of generated policies
**User Request:** "Clean up all generated files"
**Your Response:**
1. Remove all files from `deny-policies/commands/`, `deny-policies/policies/`, `results/`
2. Confirm directories are empty
3. Preserve directory structure
Leave a review
No reviews yet. Be the first to review this skill!
# Download SKILL.md from killerskills.ai/api/skills/gcp-project-deny-policies/raw