This document is for Project owners and Organization administrators looking to add protections against project deletion.
You can place a lien upon a project to block the project's deletion until you remove the lien. This can be useful to protect projects of particular importance.
Liens can also be placed upon a project automatically. For example, if you allow Identity and Access Management (IAM) service accounts from one project to be attached to resources in other projects, a lien is placed upon the project where the service accounts are located.
The gcloud CLI is the easiest way to interact with project liens. If you don't have it installed, you can use Google Cloud Shell.
Placing a lien on a project
To place a lien on a project, a user must have the
resourcemanager.projects.updateLiens
permission which is granted by the
roles/owner
and roles/resourcemanager.lienModifier
roles.
gcloud alpha resource-manager liens create \
--restrictions=resourcemanager.projects.delete \
--reason="Super important production system"
The available parameters to liens create
are:
--project
- The project the lien applies to.--restrictions
- A comma-separated list of IAM permissions to block.--reason
- A human-readable description of why this lien exists.--origin
- A short string denoting the user/system which originated the lien. Required, but the gcloud tool will automatically populate it with the user's email address if left out.
At present, the only valid restriction for a project is
resourcemanager.projects.delete
.
Listing liens on a project
To list liens applied to a project, a user must have the
resourcemanager.projects.get
permission. Use the liens list
gcloud command.
gcloud alpha resource-manager liens list
Here is some example output for this command:
gcloud alpha resource-manager liens list
NAME ORIGIN REASON
p1061081023732-l3d8032b3-ea2c-4683-ad48-5ca23ddd00e7 user@example.com testing
Removing liens from a project
To remove a lien from a project, a user must have the
resourcemanager.projects.updateLiens
permission which is granted by
roles/owner
and roles/resourcemanager.lienModifier
.
gcloud alpha resource-manager liens delete [LIEN_NAME]
where:
- [LIEN_NAME] is the name of the lien to be deleted.
References
API Reference: REST Resource: liens