Background (a different but similar issue)
One challenge when using Google Cloud Storage is that all bucket names share a common namespace - not just across your organization but across all of Google Cloud. So somebody can scan the list of bucket names currently in use in Google Cloud, and see whatever information you wrote in your bucket name itself. I'm not sure if the bucket name could be connected back to an organization or project, but it's at least a moderate security risk. (See here for more discussion: What is "Globally" Unique for GCS Bucket Names?)
Question
My question is whether and to what extent this is also true of Google Cloud project IDs and project names. Do project IDs also share a public namespace across all of Google Cloud? Can anybody see what project IDs are currently in use across all of Google Cloud?
On this page Google says:
Don't include sensitive information in your project name, project ID, or other resource names. The project ID is used in the name of many other Google Cloud resources, and any reference to the project or related resources exposes the project ID and resource name.
However it doesn't explicitly say that project IDs share a namespace with other Google Cloud users. I could interpret this warning to mean something more basic, like "Whenever you include a Google Cloud URN in an email or code, it will include the project ID, so the project ID isn't really secret." This would be a risk, but not as big a risk as if the project IDs share a global namespace, because somebody would still need to be shown the URN to see the project ID (they couldn't just scan a list of all project IDs).
I have similar questions about Project Names. It seems like Project Names might be more secret because they are not used in links (they are more like human-readable aliases to the Project IDs), yet Google still warns against putting private data in them. I'm wondering why that is.
Project Names are unique to your project and mean nothing outside your project. They are not secrets and disclosing a Project Name means nothing unless you put sensitive information into a Project Name. Project Names can be duplicated among different cloud accounts.
Project IDs are globally unique. Project IDs are sensitive information, but are not secrets. Disclosing a Project ID does not put your account at risk. Provided that the Project ID is globally unique and meets naming requirements, you can use descriptive Project IDs.
Project IDs are a human-readable form of the Project Number (alias for). Project Numbers are numbers and are selected by Google. You cannot select a project number. Project Numbers are usually interchangeable with Project IDs. Project Numbers are often used in error messages and Cloud Logging.
Summary:
Project Names are for your internal use.
Project IDs are the human-readable form for the Project Number.
Project Numbers are what Google Cloud uses internally.
Related
I'm a newbie in GCP. Actually, I have 2 projects on this list, but just one is visible. How can I find the second?
I am sure to choose the right organization. And the second project is not deleted because my web has been running without any error.
Thank you all.
This is my project list in GCP
Try selecting "No organization" in the dropdown alongside "Select from".
It's confusing but, you can have projects that aren't associated with an organization. It's probable that your other project is thus.
If the project is not listed under "No organization", then another probability is that you used a different Google account (possibly also associated with another organization) to create it.
Note: Because projects are always associated with IAM policies that determine which accounts can access them, it's possible for different projects to be listed under "No organization" for different (Google) accounts.
I've been recently added to a new GCP project which has litterally tons and tons of pods, workloads and bases.
I want to visualize all of it in a schema or model.
Is there any tool or plugin that i can use to modelize the project ?
Probably the best mechanism would be to use Cloud Console and view the project's resources through the various pages built in to the console.
Google provides very many APIs (services) and these may contain multiple resource (types) and, as you've seen, there can be many instances of the resources.
I think anything that enumerate all a project's resources could be somewhat overwhelming whereas Console provides structure.
Choose your project at or append a query string project=... to:
https://console.cloud.google.com
Our organization uses Google Cloud APIs for integrating Maps and other services in a number of websites.
We have often used the same API key, without creating a distinct Google Cloud project (and credentials) for each website/project.
We are trying to better organize our API usage, but we are facing an issue.
While we can consult the reports of our Billing account and see the quota for the unique API project used for every implementation, we cannot see and manage this project (it does not appear in the list) even though it seems to belong to the same organization. (EDIT: I am not sure that the organization id is the same, but the name of the organizazion appears as a prefix to the project name in the billing reports)
This project has been created years ago (and the person that created it appears not to have access to it either), but we need to access it to get a clear understanding of where and how APIs are used.
The connected APIs are still in use and working, so we assume the project exists.
Can someone point out the possible reasons why a project is not shown even though it belongs to an organization for which we have access as administrators?
Thank you in advance
In order to see a project in lists, you need the resourcemanager.projects.list IAM permission on the project and to get it's metadata, the resourcemanager.projects.get permission.
How did you find that it has the same organizationId? If you managed to get the metadata via gcloud projects describe, you are likely missing the list permission.
In any case, if the project is indeed part of the organization, an org admin should be able to use gcloud projects add-iam-policy-binding to add a new owner/editor.
There is a special case with Apps Scripts: Those create a hidden project.
If all fails, reach out to GCP Support. Keep in mind though that they will not be able to help you if the project is not within your organization (eg. created with an unrelated gmail.com account or similar)
To interact with Google Cloud resources, you must provide the identifying project information for every request. A project can be identified in the following ways:
Project name: the customized name you chose when you created the project, or when you activated an API that required you to create a project ID. Note that you can't reuse the project name of a deleted project.
Project ID: a unique identifier for your project, composed of the project name and a randomly assigned number.
Project number: a number that's automatically generated by the server and assigned to your project.
https://cloud.google.com/resource-manager/docs/creating-managing-projects
As I know, project name can be changed whenever I hope, and I have tested that even I can use the exist project's name as a new project name.
There is an slight error in the documentation :
The behavior is:
1. You can reuse the project name of an existing project, many times over.
2. You can reuse the project name of a deleted project.
3. You can reuse the project name of a deleted and purged project.
It is the reuse of Project IDs that is not an available option.
To clarify as I have previously written, even after the purge from the system, (30 days) you will still be unable to reuse the project id - it is permanently recorded in Google’s system.
Maybe I can help a little, I would like to let you know that there may be a better way to deal with this issue. It would probably be best if you create a variable in your system (called something like : MY_CURRENT_PROJECT_ID) which is used anywhere that the project id is needed. This would mean that if the project id changed you would only have to change it in one place.
I hope this helps.
I was using Google Apps Script for standard document-bound functions in a personal Google Drive. For debugging and general info-printing out, I was using console.log() calls and looking at the Stackdriver Logging output for that particular project.
I recently copied many of the documents and their associated code projects into a new Team Drive. The new files are completely new (not shared into the Team Drive) and they have a different creator than the originals.
Now when attempting to view the log outputs, Stackdriver Logging gives me this error message:
Failed to load
Tracking Number: XXXXXXXXXXXXXXXXXXX
What's more, the "Select a project" dropdown at the top of the page does not list any of the projects.
I've tried creating a brand new script project in the Team Drive, but that does not appear either. The Stackdriver page is logged into the correct account.
I'm aware of other solutions, such as Logger.log(), but would rather not resort to them unless I can't get Stackdriver to work again.
Edit: I found this question, which includes this sentence:
I have reset the script's Cloud project to be a "real" project (as opposed to the default hidden one).
This sounds important but I have no idea what it means and have been unable to find anything relating to making projects unhidden. Is this my problem?
I have found the solution, though I don't fully understand it.
Google Apps Script projects are associated with a hidden Google Cloud Platform project behind the scenes, which allow them to print to Stackdriver Logging, among other things. Trying to run them out of a Team Drive makes this not work for reasons that are a mystery to me.
Here is the fix:
Manually create a new Google Cloud Platform project.
Associate your scripts with the new project. In the Script Editor, go to Resources > Cloud Platform project. In the dialogue, enter the project number of the project you just created, and then hit Set Project. To find the project number (distinct from the "Project ID"), click on View API Console, and then make sure you have your new project selected at the top of the page.
This needs to be done for each GAS project. Whereas in Drive, separate projects often can't be combined into one since each is bound to a single document, all of your GAS projects can be associated with a single Google Cloud Platform project.