Identity and Access Management (IAM) API

Name: Identity and Access Management (IAM) API API
Brand: Identity and Access Management (IAM) API
Availability: InStock

✓ Official Vendor SpecIdentity AuthAuthorizationoauth25 EndpointsREST

For Agents

Manage Google Cloud IAM deny policies on organisations, folders, and projects to enforce hard boundaries that no allow rule can override.

Quickstart

Get started with Identity and Access Management (IAM) API in minutes using your preferred integration method.

# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
  "jentic": {
    "url": "https://api.jentic.com/mcp",
    "auth": "oauth"
  }
}

# Then ask your agent:
"create iam deny policy on a google cloud folder"

# → Jentic returns the GET /events tool with parameter schema, agent executes.

Capabilities

What an agent can do with Identity and Access Management (IAM) API API.

Create deny policies attached to a Google Cloud organisation, folder, or project resource

List deny policies currently attached to a given Cloud resource

Read a specific deny policy to inspect denied permissions and exception principals

Update a deny policy to refine principals, denied permissions, or exception conditions

GET STARTED

Start building with Identity and Access Management (IAM) API API

Explore with Jentic

View OpenAPI Document

Use for: Create a deny policy that blocks deletion of production buckets, List deny policies attached to a Google Cloud project, Update a deny policy to add an exception principal, Get the current deny policy on folders/123456

Not supported: Does not manage allow bindings, service-account keys, or workload identity federation — use for IAM v2 deny-policy lifecycle on organisations, folders, and projects only.

The Identity and Access Management (IAM) API v2 manages deny policies that supplement Google Cloud's allow-based IAM bindings. A deny policy is attached to an organisation, folder, or project resource and lists permissions that must not be granted regardless of any allow rule. The v2 API provides CRUD over these deny policies and supports long-running operation tracking for asynchronous policy updates. It is the modern surface for fine-grained, exception-based access control on Google Cloud and is paired with the broader IAM v1 surface for service accounts, allow policies, and roles.

Use Cases

Patterns agents use Identity and Access Management (IAM) API API for, with concrete tasks.

★ Hard Guardrails on Production Resources

Platform security teams attach IAM deny policies to production folders to guarantee that no allow rule, however accidental, can grant destructive permissions like storage.buckets.delete or compute.instances.delete to the wrong principals. Deny policies are evaluated before allow policies, so a misconfigured project owner role can still be over-ridden by an organisation-level deny policy. Teams manage these policies as code and roll them out via the v2 API.

Attach a new deny policy to folders/prod-folder that denies storage.buckets.delete for all principals except group:platform-admins@example.com, and return the resulting policy name and etag.

Exception-Based Privileged Access

Engineering teams use deny policies with exception principals to express "nobody can do X except this one break-glass group." The deny rule denies impersonation or token creation across the organisation, with an exception list of approved emergency-access principals. This is more auditable than relying on absence of an allow binding because the intent is explicit in the policy document.

Update deny policy operations/p/policies/no-impersonation on organisations/12345 to add user:oncall-admin@example.com to the exceptionPrincipals for the iam.serviceAccounts.implicitDelegation permission.

Compliance Reporting on Deny Policies

GRC teams pull the list of all deny policies attached to a top-level folder or organisation each quarter to evidence that compensating controls remain in place. The list operation returns the policy name, etag, denied permissions, and principal lists for each policy attached to the parent resource.

List all deny policies attached to folders/audit-scope, then for each one read the full policy and emit a CSV with policy name, denied permissions, and principal counts.

AI Agent Policy Drift Detection

An AI agent compares declared deny policies in source control against the live policies on each Google Cloud resource via Jentic. Drift is reported back to the platform team with a suggested update payload. Jentic isolates the IAM admin credential so the agent never holds raw service-account JSON.

For each entry in declared-policies.yaml, call GET /v2/{+name} to fetch the live deny policy and produce a diff highlighting any added or removed principals or denied permissions.

Key Endpoints

5 endpoints — the identity and access management (iam) api v2 manages deny policies that supplement google cloud's allow-based iam bindings.

METHOD

PATH

DESCRIPTION

GET

/v2/{+parent}

List deny policies attached to a parent resource

POST

/v2/{+parent}

Create a deny policy on a parent resource

GET

/v2/{+name}

Get a specific deny policy by name

PUT

/v2/{+name}

Update a deny policy

DELETE

/v2/{+name}

Delete a deny policy

GET

/v2/{+parent}

List deny policies attached to a parent resource

POST

/v2/{+parent}

Create a deny policy on a parent resource

GET

/v2/{+name}

Get a specific deny policy by name

PUT

/v2/{+name}

Update a deny policy

DELETE

/v2/{+name}

Delete a deny policy

Why though Jentic?

Three things that make agents converge on Jentic-routed access.

Credential isolation

IAM admin OAuth credentials live encrypted in the Jentic vault. Each call to the IAM v2 API mints a short-lived token scoped to cloud-platform so raw service-account keys never enter the agent runtime.

Intent-based discovery

Agents search 'create iam deny policy' or 'list deny policies on a folder' and Jentic returns the matching v2 operation with its parameter and body schema, so the agent constructs the right URL-encoded parent without reading docs.

Time to first call

Direct integration: 1-2 days for OAuth, URL-encoded resource-name conventions, and long-running-operation polling. Through Jentic: under 1 hour for the same workflow.

Related APIs

Alternatives and complements available in the Jentic catalogue.

Complementary

IAM Service Account Credentials API

Mints short-lived credentials for service accounts that the IAM API governs.

Use IAM Credentials when impersonating service accounts; use the IAM API when managing the deny policies that constrain that impersonation.

Complementary

Cloud Resource Manager API

Manages projects, folders, and organisations that IAM deny policies attach to.

Use Cloud Resource Manager to discover the organisation and folder hierarchy, then attach deny policies via the IAM API.

Alternative

Access Context Manager API

Defines context-based access policies (VPC SC perimeters, access levels) that complement IAM allow/deny.

Use Access Context Manager when you need network or context-based restrictions; use IAM deny policies when the constraint is on principal-permission pairs.

FAQs

Specific to using Identity and Access Management (IAM) API API through Jentic.

What authentication does the IAM API use?

Google OAuth 2.0 with the cloud-platform scope and an IAM principal that holds iam.denypolicies.* permissions on the parent resource. Through Jentic the credential is stored encrypted and exchanged for a short-lived access token at call time.

Can I attach an IAM deny policy to a project?

Yes. Call POST /v2/{+parent} where parent is policies/cloudresourcemanager.googleapis.com%2Fprojects%2F{projectNumber}/denypolicies and supply a deny policy body listing denied permissions, principals, and any exception principals.

What are the rate limits for the IAM API?

Google enforces per-project quotas on IAM admin operations (default in the low hundreds of QPS). Deny-policy writes are eventually consistent and are completed via long-running operations, so callers should poll the returned operation until done.

How do I create a deny policy through Jentic?

Search Jentic with 'create iam deny policy', load the POST /v2/{+parent} operation, and execute with the parent set to the policy attachment point and a request body listing deniedPermissions and principals. Jentic handles OAuth and returns the operation name.

How are deny policies different from allow bindings?

Allow bindings (managed in IAM v1 / setIamPolicy) grant permissions; deny policies (this v2 API) explicitly remove permissions even if an allow binding grants them. Deny rules win against allow rules, which makes them suitable for hard guardrails.