Almost all of our GCP projects are listed under our main organization. The problem: We keep finding users who have projects that are not under our organization. (I have to assume they created them before linking their work emails with our organization? I can't find how to make a project that isn't part of an org, using my work email.)
Is there any way to show all projects a given user has, regardless of the project's organization membership status?
I tried searching for the answer, but I couldn't find anything definitive in either direction.
Related
Background (a different but similar issue)
One challenge when using Google Cloud Storage is that all bucket names share a common namespace - not just across your organization but across all of Google Cloud. So somebody can scan the list of bucket names currently in use in Google Cloud, and see whatever information you wrote in your bucket name itself. I'm not sure if the bucket name could be connected back to an organization or project, but it's at least a moderate security risk. (See here for more discussion: What is "Globally" Unique for GCS Bucket Names?)
Question
My question is whether and to what extent this is also true of Google Cloud project IDs and project names. Do project IDs also share a public namespace across all of Google Cloud? Can anybody see what project IDs are currently in use across all of Google Cloud?
On this page Google says:
Don't include sensitive information in your project name, project ID, or other resource names. The project ID is used in the name of many other Google Cloud resources, and any reference to the project or related resources exposes the project ID and resource name.
However it doesn't explicitly say that project IDs share a namespace with other Google Cloud users. I could interpret this warning to mean something more basic, like "Whenever you include a Google Cloud URN in an email or code, it will include the project ID, so the project ID isn't really secret." This would be a risk, but not as big a risk as if the project IDs share a global namespace, because somebody would still need to be shown the URN to see the project ID (they couldn't just scan a list of all project IDs).
I have similar questions about Project Names. It seems like Project Names might be more secret because they are not used in links (they are more like human-readable aliases to the Project IDs), yet Google still warns against putting private data in them. I'm wondering why that is.
Project Names are unique to your project and mean nothing outside your project. They are not secrets and disclosing a Project Name means nothing unless you put sensitive information into a Project Name. Project Names can be duplicated among different cloud accounts.
Project IDs are globally unique. Project IDs are sensitive information, but are not secrets. Disclosing a Project ID does not put your account at risk. Provided that the Project ID is globally unique and meets naming requirements, you can use descriptive Project IDs.
Project IDs are a human-readable form of the Project Number (alias for). Project Numbers are numbers and are selected by Google. You cannot select a project number. Project Numbers are usually interchangeable with Project IDs. Project Numbers are often used in error messages and Cloud Logging.
Summary:
Project Names are for your internal use.
Project IDs are the human-readable form for the Project Number.
Project Numbers are what Google Cloud uses internally.
I'm a newbie in GCP. Actually, I have 2 projects on this list, but just one is visible. How can I find the second?
I am sure to choose the right organization. And the second project is not deleted because my web has been running without any error.
Thank you all.
This is my project list in GCP
Try selecting "No organization" in the dropdown alongside "Select from".
It's confusing but, you can have projects that aren't associated with an organization. It's probable that your other project is thus.
If the project is not listed under "No organization", then another probability is that you used a different Google account (possibly also associated with another organization) to create it.
Note: Because projects are always associated with IAM policies that determine which accounts can access them, it's possible for different projects to be listed under "No organization" for different (Google) accounts.
I am trying to compose a code which will first look for the project list in my organization which are not under any folder and then run the describe option to filter out the creation date.
what you're looking for is this:
https://cloud.google.com/resource-manager/reference/rest/v3/projects/list
By searching through GCloud docs on how to create folders, I was able to find the gcloud tab (which corresponds to the python tool in the Cloud Shell) and found the resource-manager option, from there I went over to the documentation for the REST API and from there I looked under projects to find a way to list them. By default the REST API only calls direct descendants, so the folders are ignored[^1].
I would recommend taking a look at the guide for making questions on StackOverflow, as it might make it easier for you to get an answer to your qeustion sooner.
[^1] So, if you call it via the organization, you'll get a list of only the projects that are directly under the organization and all folders inside are ignored. You can do the same for folders, by calling it via a folder you'll only get the projects in that folder that are not inside any other folder.
Our organization uses Google Cloud APIs for integrating Maps and other services in a number of websites.
We have often used the same API key, without creating a distinct Google Cloud project (and credentials) for each website/project.
We are trying to better organize our API usage, but we are facing an issue.
While we can consult the reports of our Billing account and see the quota for the unique API project used for every implementation, we cannot see and manage this project (it does not appear in the list) even though it seems to belong to the same organization. (EDIT: I am not sure that the organization id is the same, but the name of the organizazion appears as a prefix to the project name in the billing reports)
This project has been created years ago (and the person that created it appears not to have access to it either), but we need to access it to get a clear understanding of where and how APIs are used.
The connected APIs are still in use and working, so we assume the project exists.
Can someone point out the possible reasons why a project is not shown even though it belongs to an organization for which we have access as administrators?
Thank you in advance
In order to see a project in lists, you need the resourcemanager.projects.list IAM permission on the project and to get it's metadata, the resourcemanager.projects.get permission.
How did you find that it has the same organizationId? If you managed to get the metadata via gcloud projects describe, you are likely missing the list permission.
In any case, if the project is indeed part of the organization, an org admin should be able to use gcloud projects add-iam-policy-binding to add a new owner/editor.
There is a special case with Apps Scripts: Those create a hidden project.
If all fails, reach out to GCP Support. Keep in mind though that they will not be able to help you if the project is not within your organization (eg. created with an unrelated gmail.com account or similar)
I was using Google Apps Script for standard document-bound functions in a personal Google Drive. For debugging and general info-printing out, I was using console.log() calls and looking at the Stackdriver Logging output for that particular project.
I recently copied many of the documents and their associated code projects into a new Team Drive. The new files are completely new (not shared into the Team Drive) and they have a different creator than the originals.
Now when attempting to view the log outputs, Stackdriver Logging gives me this error message:
Failed to load
Tracking Number: XXXXXXXXXXXXXXXXXXX
What's more, the "Select a project" dropdown at the top of the page does not list any of the projects.
I've tried creating a brand new script project in the Team Drive, but that does not appear either. The Stackdriver page is logged into the correct account.
I'm aware of other solutions, such as Logger.log(), but would rather not resort to them unless I can't get Stackdriver to work again.
Edit: I found this question, which includes this sentence:
I have reset the script's Cloud project to be a "real" project (as opposed to the default hidden one).
This sounds important but I have no idea what it means and have been unable to find anything relating to making projects unhidden. Is this my problem?
I have found the solution, though I don't fully understand it.
Google Apps Script projects are associated with a hidden Google Cloud Platform project behind the scenes, which allow them to print to Stackdriver Logging, among other things. Trying to run them out of a Team Drive makes this not work for reasons that are a mystery to me.
Here is the fix:
Manually create a new Google Cloud Platform project.
Associate your scripts with the new project. In the Script Editor, go to Resources > Cloud Platform project. In the dialogue, enter the project number of the project you just created, and then hit Set Project. To find the project number (distinct from the "Project ID"), click on View API Console, and then make sure you have your new project selected at the top of the page.
This needs to be done for each GAS project. Whereas in Drive, separate projects often can't be combined into one since each is bound to a single document, all of your GAS projects can be associated with a single Google Cloud Platform project.