You can place a lien upon a project to block the project's deletion until you remove the lien. This can be useful to protect projects of particular importance.
Liens can also be placed upon a project automatically. For example, if you allow Identity and Access Management (IAM) service accounts from one project to be attached to resources in other projects, a lien is placed upon the project where the service accounts are located.
The gcloud CLI is the easiest way to interact with project liens. If you don't have it installed, you can use Google Cloud Shell.
Placing a lien on a project
To place a lien on a project, a user must have the
resourcemanager.projects.updateLiens permission which is granted by the
gcloud alpha resource-manager liens create \ --restrictions=resourcemanager.projects.delete \ --reason="Super important production system"
The available parameters to
liens create are:
--project- The project the lien applies to.
--restrictions- A comma-separated list of IAM permissions to block.
--reason- A human-readable description of why this lien exists.
--origin- A short string denoting the user/system which originated the lien. Required, but the gcloud tool will automatically populate it with the user's email address if left out.
At present, the only valid restriction for a project is
Listing liens on a project
To list liens applied to a project, a user must have the
resourcemanager.projects.get permission. Use the
liens list gcloud command.
gcloud alpha resource-manager liens list
Here is some example output for this command:
gcloud alpha resource-manager liens list NAME ORIGIN REASON p1061081023732-l3d8032b3-ea2c-4683-ad48-5ca23ddd00e7 firstname.lastname@example.org testing
Removing liens from a project
To remove a lien from a project, a user must have the
resourcemanager.projects.updateLiens permission which is granted by
gcloud alpha resource-manager liens delete [LIEN_NAME]
- [LIEN_NAME] is the name of the lien to be deleted.
API Reference: REST Resource: liens