gcloud compute machine-images remove-iam-policy-binding

NAME

gcloud compute machine-images remove-iam-policy-binding - remove IAM policy binding from the IAM policy of a Compute Engine machine image

SYNOPSIS

gcloud compute machine-images remove-iam-policy-binding MACHINE_IMAGE --member=PRINCIPAL --role=ROLE [GCLOUD_WIDE_FLAG …]

DESCRIPTION

Remove an IAM policy binding from the IAM policy of a Compute Engine machine image. A policy binding consists of a member and a role.

EXAMPLES

To remove an IAM policy binding for the role of 'roles/compute.admin' for the user 'test-user@gmail.com' from image 'my-image'

gcloud compute machine-images remove-iam-policy-binding my-image --member='user:test-user@gmail.com' --role='roles/compute.admin'

See https://cloud.google.com/iam/docs/managing-policies for details of policy role and member types.

POSITIONAL ARGUMENTS

Machine image resource - The machine image from which to remove the IAM policy binding. This represents a Cloud resource. (NOTE) Some attributes are not given arguments in this group but can be set in other ways.

To set the project attribute:

provide the argument machine_image on the command line with a fully specified name;
provide the argument --project on the command line;
set the property core/project.

This must be specified.

MACHINE_IMAGE

ID of the machine image or fully qualified identifier for the machine image. To set the machine_image attribute:

provide the argument machine_image on the command line.

REQUIRED FLAGS

--member=PRINCIPAL

The principal to remove the binding for. Should be of the form user|group|serviceAccount:email or domain:domain.

Examples: user:test-user@gmail.com, group:admins@example.com, serviceAccount:test123@example.domain.com, or domain:example.domain.com.

Deleted principals have an additional deleted: prefix and a ?uid=UID suffix, where UID is a unique identifier for the principal. Example: deleted:user:test-user@gmail.com?uid=123456789012345678901.

Some resources also accept the following special values:

allUsers - Special identifier that represents anyone who is on the internet, with or without a Google account.
allAuthenticatedUsers - Special identifier that represents anyone who is authenticated with a Google account or a service account.

--role=ROLE

The role to remove the principal from.

GCLOUD WIDE FLAGS

These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.

Run $ gcloud help for details.

API REFERENCE

This command uses the compute/v1 API. The full documentation for this API can be found at: https://cloud.google.com/compute/

NOTES

These variants are also available:

gcloud alpha compute machine-images remove-iam-policy-binding

gcloud beta compute machine-images remove-iam-policy-binding

gcloud preview compute machine-images remove-iam-policy-binding

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-05-27 UTC.