Reputation: 1
Google Cloud Platform lists project under "No organization", but it is not correct
GCP projects appear to be associated with an organization even though Google's Cloud Console claims otherwise. This provides a full access backdoor to an external company.
How do we secure our project and verify that it is only our own users who can access it?
Our software platform has been developed by an external company who based it on Google Cloud Platform and Firebase and we have assumed control of the platform and we will be the ones to maintain it going forward.
Our software platform consists of three GCP projects and we have removed access for all users from the external company for security reasons, so that only our own users should be able to access our resources.
However one of the developers from the external company mentioned that the three projects are associated with their organization in GCP and that he has full access to all of our projects even though he's not listed anywhere.
When I view our three GCP projects from within Google's Cloud Console, it says that they belong to "No organization".
I asked him to test it out, because it seemed dubious to me, but he now confirms that he has tested it and that he does in fact have full access to view our Firebase resources for instance - including production user data and so on.
How do I ensure that the only users who have access to our GCP projects are our own users. And if this organization backdoor does in fact exist, am I the only one who thinks that's a blatant security flaw? I mean we have an external company with full access to our resources and it doesn't seem to show up anywhere, in fact it claims the opposite to be true.
We need our GCP projects to be securely in our own control, how do we achieve that?
Upvotes: 0
Views: 3490
Answers (1)
Reputation: 51
I ran into this issue when a project I had access to was listed under an Organization of which I did not have sufficient permissions to view. Critically, I was missing the resourcemanager.organizations.get permission on the organization.
Because of this, the GCP UI will not show the parent organization (and it won't be selectable from the Resource Selection Dropdown. However, if you run gcloud projects list --format json you should be able to see a similar output to below which shows that the project is actually a child of a parent organization.
{
"createTime": "2021-03-10T21:42:15.100Z",
"lifecycleState": "ACTIVE",
"name": "Project Name",
"parent": {
"id": "XXXXXXXXXXXX",
"type": "organization"
},
"projectId": "project-id",
"projectNumber": "XXXXXXXXXX"
}
In your case, it is likely that you don't have resourcemanager.organizations.get permissions for the developers external organization.
I would recommend migrating the project into your organization so that it is migrated away from the external developers org - as a project can only exist in 1 organization at a time
Upvotes: 0
Related Questions
- Create GCP project without organization
- How do I get the organization ID of my current project in Google Cloud Platform?
- Google Cloud Platform Service Account is Unable to Access Project
- GCP shows No Organization
- Projects under No Organization that cannot be accessed
- Google Cloud Platform: How do I rename a Google Cloud Platform project?
- How do I list my GCP projects under No Organization using the Resource Manager API?
- Google Cloud Platform - Error moving firebase project with "no organization" to an "organization"
- you do not have permission to create projects in this location
- Unknown error creating a project