Protecting projects with liens

This document is for Project owners and Organization administrators looking to add protections against project deletion.

You can place a lien upon a project to block the project's deletion until you remove the lien. This can be useful to protect projects of particular importance.

Liens can also be placed upon a project automatically. For example, if you allow Identity and Access Management (IAM) service accounts from one project to be attached to resources in other projects, a lien is placed upon the project where the service accounts are located.

Before you begin

The gcloud CLI is the easiest way to interact with project liens. If you don't have it installed, you can use Google Cloud Shell.

Required roles

To get the permissions that you need to modify liens, ask your administrator to grant you the Project lien modifier (roles/resourcemanager.lienModifier) IAM role on projects. For more information about granting roles, see Manage access.

This predefined role contains the permissions required to modify liens. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to modify liens:

  • resourcemanager.projects.updateLiens
  • List liens on a project: resourcemanager.projects.get

You might also be able to get these permissions with custom roles or other predefined roles.

Placing a lien on a project

To place a lien on a project, use the alpha resource-manager liens create command.

gcloud alpha resource-manager liens create \
  --project=[PROJECT_NAME]
  --restrictions=[PERMISSION_RESTRICTION] \
  --reason=[LIEN_REASON]
  --origin=[LIEN_ORIGIN]

Replace the following:

  • [PROJECT_NAME]: the name of the project the lien applies to.
  • [PERMISSION_RESTRICTION]: a comma-separated list of IAM permissions to block. The only valid restriction for a project is resourcemanager.projects.delete.
  • [LIEN_REASON]: a human-readable description of why this lien exists.
  • [LIEN_ORIGIN]: a short string denoting the user or system which originated the lien. Required, but this field is automatically populated with the user's email address if omitted.

Listing liens on a project

To list all liens applied to a project, use the alpha resource-manager liens list command.

gcloud alpha resource-manager liens list

The output is similar to the following:

gcloud alpha resource-manager liens list
NAME                                                  ORIGIN            REASON
p1061081023732-l3d8032b3-ea2c-4683-ad48-5ca23ddd00e7  user@example.com  testing

Removing liens from a project

To remove a lien from a project, use the alpha resource-manager liens delete command.

gcloud alpha resource-manager liens delete [LIEN_NAME]

Replace [LIEN_NAME] with the name of the lien to be deleted, such as liens/p1061081023732-l3d8032b3-ea2c-4683-ad48-5ca23ddd00e7.

References

API Reference: REST Resource: liens