Unknown project in GCP Console

712 views
Skip to first unread message

Guanaco Devs

unread,
Sep 4, 2021, 1:11:06 PM9/4/21
to Google App Engine
Hi there.

I have noticed recently that I have in my GCP console 2 projects that I did not create and I guess came with the account. I have been using GCP for the last 4 years, was at the time of installing the gcloud-sdk, that I noticed those 2 projects.

Since I'm not the owner, how do I removed them from my GCP Console?

One of the projects name is "you-can-see-this-project" and the other "brave-watch-xxxxx".

When I try to delete it with the gcloud command I get

`ERROR: (gcloud.projects.delete) User [my-e...@gmail.com] does not have permission to access projects instance [you-can-see-this-project] (or it may not exist): The caller does not have permission`

If I try in the GCP Console I do not have valid permissions to remove them.

I really want to get rid of those projects.


Best Regards

Edgard

Tapir

unread,
Sep 5, 2021, 6:31:16 AM9/5/21
to Google App Engine
Totally same for me. 

Vitaly Bogomolov

unread,
Sep 6, 2021, 1:22:18 AM9/6/21
to Google App Engine
+1 

Two unknown projects in the list.



воскресенье, 5 сентября 2021 г. в 14:31:16 UTC+4, Tapir:
1.JPG
2.JPG

Jofre Riba Sánchez

unread,
Sep 6, 2021, 3:18:17 AM9/6/21
to Google App Engine
This is working as intended. This was previously reported on this same group and other similar ones [1]. This has also been reported on our issue tracker in [2], [3] (and a bunch more times).

In summary, somebody granted a permission to get the name of the project (resourcamanager.projects.get) without giving you any additional permission, which has the effect of being able to see the project, but not take any action on it.

There is a feature request to hide un-wanted projects on the console [4], and another one to display a warning when somebody shares a project with groups containing +100 people [5].

This usually happens when somebody shares a project with a group (I'm guessing by accident), and everybody on that group can see the project.

As a matter of fact, the second project on that list (you-can-see-this-project) is my own, where I granted resourcemanager.projects.get to this very same group (google-a...@googlegroups.com), to demonstrate those are the only steps needed for projects to appear on the list, to show there's nothing nefarious going on, and also in an attempt to grab a bunch of screenshots of the process to write a more detailed explanation for some of our public forums (that is still ongoing work). I tried to make it obvious on the project name that this was the intended behaviour of that project, but there's so much that can be said with 30 characters.

There is right now no option to remove yourself from projects where you do not have IAM access (the permission is at the project level, not at the account level, so you need permissions on the project to modify IAM bindings), but this should have no impact on your experience. Note that the feature request is only for the console. The OP is mentioning the SDK (gcloud projects list), and this would not be modified by hiding the list on the console. The SDK is only calling resporcemanaget.projects.list [6], and that would not be modified by the request in [4].

Vitaly Bogomolov

unread,
Sep 6, 2021, 3:27:50 AM9/6/21
to Google App Engine
Thanks for the explanation.

понедельник, 6 сентября 2021 г. в 11:18:17 UTC+4, Jofre Riba Sánchez:
Reply all
Reply to author
Forward
0 new messages