URGENT - SECURITY: Mystery project in Google Cloud Platform account which I cannot delete
1,279 views
Skip to first unread message
Jonathan H
Jul 30, 2019, 10:55:02 AM7/30/19
to Google Cloud Developers
I discovered a project in my Google Cloud Platform account which I cannot delete, or add permissions to.
It is in the "no organisation" section; I'm looking at the log, and I see lots of things like the following - I am REALLY concerned, but cannot contact Google as I have not paid for support.
I have spent the last 2 hours going through all the users, owners, permissions and dates etc - I have not noticed this project before, my account is really locked down.
The project has an OAuth screen which I cannot delete, but the support email is bri**we...@gmail.com which, again, is not a user anywhere in my organisation.
What's the quickest way to get support with this?
Set IAM policy on folder
ad...@googl.ensysglobal.net assigned role editor to ia****zid.g...@gsuite.ensysglobal.net
21:31
Set IAM policy on folder
ad...@googl.ensysglobal.net failed to set the IAM policy.
18:32
Set IAM policy on folder
google_tamzidh***h...@googl.ensysglobal.net assigned role editor to ka****at...@gmail.com
Failed:Update project
1love4...@gmail.com failed to update temporal-tensor-212913
21/12/2018
20:20
Update project
jessfore...@gmail.com updated temporal-tensor-212913
19:54
21:00
Failed:Update project
1love4...@gmail.com failed to update temporal-tensor-212913
19:20
Failed:Update project
1love4...@gmail.com failed to update temporal-tensor-212913
Julie (cloud platform support)
Jul 30, 2019, 12:52:10 PM7/30/19
to google-c...@googlegroups.com
If you are not authorized on the project then it assigning IAM roles and deleting the project is unlikely be work. I have created this private issue tracker to take a look at the project. I suggest creating a private issue tracker and provide the project id so we can take a look if you are experiencing a similar issue.
Jofre Riba Sanchez
Jul 30, 2019, 1:55:04 PM7/30/19
to Google Cloud Developers
Can you see the IAM list?
If you can't add/remove permissions nor delete the project, but you can do other actions, it looks like you have editor/viewer access.
Check the list of editors and viewers for google groups (<something>@googlegroups.com), and check if you're a member of any of those groups.
I suspect you recently joined a group that is an editor/viewer of that project, and this is why it now appears in your list of projects.
On the other hand, it could be that a group that you've been a member for a long time was just added as editor/viewer, and this is why it now appears in your list.
It could be that the project is in an organization where you don't have organization viewer permissions (resourcemanager.organizations.get.), and this is why it is shown in the "no organization" list. It could also be that the project is not under any organization. You can check by running `$gcloud projects describe <project-id>` and seeing if that project has a "parent id".
On Tuesday, July 30, 2019 at 4:55:02 PM UTC+2, Jonathan H wrote:
I discovered a project in my Google Cloud Platform account which I cannot delete, or add permissions to.It is in the "no organisation" section; I'm looking at the log, and I see lots of things like the following - I am REALLY concerned, but cannot contact Google as I have not paid for support.I have spent the last 2 hours going through all the users, owners, permissions and dates etc - I have not noticed this project before, my account is really locked down.
The project has an OAuth screen which I cannot delete, but the support email is ********@gmail.com which, again, is not a user anywhere in my organisation.
Jonathan H
Jul 30, 2019, 5:02:19 PM7/30/19
to Google Cloud Developers
Jofre, you are a star! I was a member of "acces...@googlegroups.com" - I just removed myself from that group, and it has GONE from both accounts!
THANK YOU!
But I have spent 4 hours, one LONG phone call and a lot of frustration and worry on this - how can this have happened? Crazy.
But now I have another problem - in all the panic, I think I set some permissions wrong: I now cannot create any new projects in my organisation, and it says "you cannot create any new projects in this location".
I have added myself to the organisation with the role of "owner", which is full/all permissions. But still I cannot add any new projects.
I can still see an organisation called "No organisation" as well, does that matter?
Jofre Riba Sanchez
Jul 31, 2019, 1:52:00 PM7/31/19
to Google Cloud Developers
This is a little un-intuitive, but neither Owner (roles/owner [1]) nor Organization Admin (roles/resourcemanager.organizationAdmin [2]) contain the permission resourcemanager.projects.create, which is the permission required to create new projects.
Since you're organization admin, you should be able to give yourself the role of Project Creator at the organization level (roles/resourcemanager.projectCreator [3]), which does contain the permission resourcemanager.projects.create, and this should allow you to create projects again under that organization.
[1] https://cloud.google.com/iam/reference/rest/v1/roles/get?apix_params=%7B"name"%3A"roles%2Fowner"%7D
Viet Vu
Sep 24, 2019, 11:49:16 AM9/24/19
to Google Cloud Developers
Hi there
Just wonder if you have resolved your issue
On Tuesday, July 30, 2019 at 9:55:02 PM UTC+7, Jonathan H wrote:
I discovered a project in my Google Cloud Platform account which I cannot delete, or add permissions to.It is in the "no organisation" section; I'm looking at the log, and I see lots of things like the following - I am REALLY concerned, but cannot contact Google as I have not paid for support.I have spent the last 2 hours going through all the users, owners, permissions and dates etc - I have not noticed this project before, my account is really locked down.The project has an OAuth screen which I cannot delete, but the support email is bri**we...@gmail.com which, again, is not a user anywhere in my organisation.What's the quickest way to get support with this?
Set IAM policy on folder
ad...@googl.ensysglobal.net assigned role editor to ia****zid....@gsuite.ensysglobal.net
21:31Set IAM policy on folderad...@googl.ensysglobal.net failed to set the IAM policy.18:32Set IAM policy on foldergoogle_tamzidh***h...@googl.ensysglobal.net assigned role editor to ka****at...@gmail.com
Reply all
Reply to author
Forward
0 new messages