Protecting projects from accidental deletion with liens

Stay organized with collections Save and categorize content based on your preferences.

This document is for Project owners and Organization administrators looking to add protections against project deletion.

You can place a lien upon a project to block the project's deletion until you remove the lien. This can be useful to protect projects of particular importance.

Liens can also be placed upon a project automatically. For example, if you allow Identity and Access Management (IAM) service accounts from one project to be attached to resources in other projects, a lien is placed upon the project where the service accounts are located.

The gcloud CLI is the easiest way to interact with project liens. If you don't have it installed, you can use Google Cloud Shell.

Placing a lien on a project

To place a lien on a project, a user must have the resourcemanager.projects.updateLiens permission which is granted by the roles/owner and roles/resourcemanager.lienModifier roles.

gcloud alpha resource-manager liens create \
  --restrictions=resourcemanager.projects.delete \
  --reason="Super important production system"

The available parameters to liens create are:

  • --project - The project the lien applies to.
  • --restrictions - A comma-separated list of IAM permissions to block.
  • --reason - A human-readable description of why this lien exists.
  • --origin - A short string denoting the user/system which originated the lien. Required, but the gcloud tool will automatically populate it with the user's email address if left out.

At present, the only valid restriction for a project is resourcemanager.projects.delete.

Listing liens on a project

To list liens applied to a project, a user must have the resourcemanager.projects.get permission. Use the liens list gcloud command.

gcloud alpha resource-manager liens list

Here is some example output for this command:

gcloud alpha resource-manager liens list
NAME                                                  ORIGIN            REASON
p1061081023732-l3d8032b3-ea2c-4683-ad48-5ca23ddd00e7  user@example.com  testing

Removing liens from a project

To remove a lien from a project, a user must have the resourcemanager.projects.updateLiens permission which is granted by roles/owner and roles/resourcemanager.lienModifier.

gcloud alpha resource-manager liens delete [LIEN_NAME]

where:

  • [LIEN_NAME] is the name of the lien to be deleted.

References

API Reference: REST Resource: liens