8

When I access Google Cloud, I see some projects that I haven't created. It seems I can't delete them too, I lack permissions to manage them. I am not using anything from Google Cloud at the moment and want to get rid of all of them. Also one of these projects are listed on Firebase as well, where I also don't have permission to delete it.

I haven't seen any evidence that my Google account has been compromised, Gmail activity seems to be fine, haven't seen any suspicious access in Gmail, and I have 2FA activated. The security checkup page in myaccount.google.com shows all green as well... So I'm really confused on how someone could access my Google Cloud account and create projects that I don't have admin access in.

So the question is, how can I delete these projects from my Google Cloud and Firebase accounts?

TL;DR: these projects probably weren't created by my user, even though they show on Google Cloud and Firebase console, so most likely my Google account wasn't compromised. It seems it's possible to include users in projects without them having any say in it, and then these projects show in the console and there's no easy way to have them removed. Apparently they showed up because of my account's Google Groups subscriptions. I removed myself from all groups and the projects disappeared. I wasn't the only one with problems removing myself from projects, as we can see on this issue and this issue, opened in Google's issue tracker.

Additional information: I just got an answer from Firebase support (I had opened an issue with them regarding this problem). They explained that project owners are allowed to add Google Groups to their projects, and anyone who is in that group will have that project show up on console. The easiest way to get rid of that project is to leave the group.

liewl
  • 207
  • 1
  • 9
  • 1
    I encountered a similar issue a little over a year ago. It turns out there's a bug somewhere in Google's systems: if you are a member of any Google Groups, other members' projects show up in your project listings. Since you don't actually get any access permissions to those projects, Google did not consider it a security issue when I reported it and decided no action was necessary. You can check which groups you're subscribed to here: https://groups.google.com/my-groups – MTCoster Jun 10 '21 at 13:15
  • 1
    @MTCoster That's very interesting! I did see something related to these groups while inspecting the projects. I guess that's where they got my e-mail. I've removed myself from some of these groups and seems the projects disappeared! Please make it an answer so I can accept it. – liewl Jun 10 '21 at 14:37
  • 1
    Your update and @MTCoster answer regarding Google Groups is very good information. – John Hanley Jun 11 '21 at 00:29

2 Answers2

5

NOTE: This answer is anecdotal, but still probably relevant.

I encountered a similar issue a little over a year ago. It turns out there's a bug somewhere in Google's systems: if you are a member of any Google Groups, other members' projects show up in your project listings. Since you don't actually get any access permissions to those projects, Google did not consider it a security issue when I reported it and decided no action was necessary.

You can check which groups you're subscribed to here: https://groups.google.com/my-groups; and leaving them should automatically remove the projects from your project listings.

Originally posted as a comment.

MTCoster
  • 166
  • 4
  • 1
    I found an odd project "adept-cosine-547". As far as I know, cosine is a button on my HP 32S. So following the link you gave, I saw that in 2005 or so, I had subscribed to a number of usenet news groups - alt.test, sybase, oracle. etc. Removed those and now to remove the project. I love garbage removal, so thanks for this! – Jim Mar 10 '22 at 18:49
3

When I access Google Cloud, I see some projects that I haven't created.

Seeing projects does not mean your account created them. Someone may have given you access to those projects. Find out what rights you have to those projects with this command:

gcloud projects get-iam-policy <YOUR GCLOUD PROJECT ID> \
--flatten="bindings[].members" \
--format='table(bindings.role)' \
--filter="bindings.members:<YOUR EMAIL ADDRESS>"

To find out who has what roles in each project (look for the owner role):

gcloud projects get-iam-policy <YOUR GCLOUD PROJECT ID>

One key item is if these projects are part of an organization. If so, what role s do you have at the organization level. With the correct roles, you can grant any rights you want to each project.

The next step is to find out if your billing account is assigned to any of these projects:

gcloud beta billing accounts list

Make note of the ACCOUNT_ID for the next command:

gcloud alpha billing projects list ACCOUNT_ID

If your billing account is being used fraudulently, remove the payment instrument (credit/debit card) from the billing account, remove their access to your billing account and then contact Google Cloud Billing Support.

John Hanley
  • 4,287
  • 1
  • 9
  • 20
  • I'm sorry but I'm not sure where I should run these commands. Do I need to install the Google Cloud SDK to run them? – liewl Jun 10 '21 at 03:13
  • Also I can see through Google Cloud web interface that I lack a lot of rights to view these projects, many pages and buttons are disabled for me because I have no permission. I don't want to have anything to do with these projects, if it wasn't created by my user, how can I leave them and not have them show up for me anymore? – liewl Jun 10 '21 at 03:20
  • 1
    Yes, you need to install the SDK. https://cloud.google.com/sdk/docs/install and then set up authorization `gcloud auth login`. I recommend going to your billing account first and review what accounts you are paying for. https://console.cloud.google.com/billing Also check your payments account: https://payments.google.com/ – John Hanley Jun 10 '21 at 03:21
  • Read the first part of my answer. You might not have any problem at all. I don't know until you do your investigation using the commands in my answer. If someone has granted you access to THEIR project, you will need to ask them to remove you. If they fraudulently created projects under your Billing Account, then you will need the details from my answer to provide Google Cloud Billing Support. – John Hanley Jun 10 '21 at 03:23
  • All right I'll set the SDK up and get back to you with the results. I never setup any billing accounts, I'm not using or paying for anything in Google Cloud. – liewl Jun 10 '21 at 03:25
  • Keep in mind that only Google Cloud will be able to solve a fraudulent account issue. We can help identify what is going on with your accounts so that you can provide FACTS to Google support. – John Hanley Jun 10 '21 at 03:26
  • If you do not have a Google Cloud Billing account, then there is nothing that Google Cloud can do for you as there is no problem to be fixed. Make sure you know what you have and what is going on with Google Cloud. Sounds like you are worried about a "no problem" situation. – John Hanley Jun 10 '21 at 03:29
  • How is this not a problem? I'm stuck with projects that have nothing to do with me on Google Cloud and Firebase console. I have not created them and cannot leave them as well. Is it normal on this platform that other users can include you and pollute your console and you can't do anything about it? – liewl Jun 10 '21 at 03:34
  • For the first command, I ran it for one of the projects, the output is as follows: ERROR: (gcloud.projects.get-iam-policy) User [] does not have permission to access projects instance [agimatec-tools:getIamPolicy] (or it may not exist): The caller does not have permission – liewl Jun 10 '21 at 03:39
  • If you do not have a Google Cloud Billing account, those projects are NOT your projects, and they were NOT created in your name. The fact that you can see a project does NOT mean you have a problem. – John Hanley Jun 10 '21 at 03:46
  • Okay but one of these projects is listed under 'Your Firebase Projects' in Firebase. It may not be my project then, but **is there any way at all I can get rid of it**? I don't want to contact the project owner and ask to remove me because I don't know them and don't know their intentions regarding this project and why I'm somehow included in it. Whoever manages that project defined the public-facing name as 'HACKEDr', nothing good can come of it. – liewl Jun 10 '21 at 03:54
  • 1
    At this point, you need to contact Google Cloud Support. To clarify, you can add my Gmail address to your project and there is nothing I can do to stop you short of deleting my email address. However, that means you are granting me rights to see/access your project. I do not have a problem, but you might. Do you see the difference? The fact that I can see your project does not mean I own it, I manage it, or I am responsible for it. Since you do not have a Billing Account, those projects are not part of your account. – John Hanley Jun 10 '21 at 04:00
  • All right, thank you for your help. I looked into Google Cloud issues and found a [ticket for my problem](https://issuetracker.google.com/issues/35903415), apparently other people are having this issue as well, for a few years at least. This makes me a little less worried, at least this doesn't mean my account has been hacked. – liewl Jun 10 '21 at 04:17
  • 1
    Just make sure you double-check your Google Payments account to see if you have a forgotten billing account attached to your payments account. https://payments.google.com/ – John Hanley Jun 10 '21 at 04:41