This document is for Project owners and Organization administrators looking to add protections against project deletion.
You can place a lien upon a project to block the project's deletion until you remove the lien. This can be useful to protect projects of particular importance.
Liens can also be placed upon a project automatically. For example, if you allow Identity and Access Management (IAM) service accounts from one project to be attached to resources in other projects , a lien is placed upon the project where the service accounts are located.
Before you begin
The gcloud CLI is the easiest way to interact with project liens. If you don't have it installed, you can use Google Cloud Shell .
Required roles
To get the permissions that
you need to modify liens,
ask your administrator to grant you the Project lien modifier
( roles/resourcemanager.lienModifier
)
IAM role on projects.
For more information about granting roles, see Manage access to projects, folders, and organizations
.
This predefined role contains the permissions required to modify liens. To see the exact permissions that are required, expand the Required permissionssection:
Required permissions
The following permissions are required to modify liens:
-
resourcemanager.projects.updateLiens - List liens on a project:
resourcemanager.projects.get
You might also be able to get these permissions with custom roles or other predefined roles .
Placing a lien on a project
To place a lien on a project, use the alpha resource-manager liens create
command.
gcloud alpha resource-manager liens create \ --project = PROJECT_ID \ --restrictions = PERMISSION_RESTRICTION \ --reason = LIEN_REASON \ --origin = LIEN_ORIGIN
Replace the following:
- PROJECT_ID : ID of the project the lien applies to.
- PERMISSION_RESTRICTION
: Comma-separated list of
IAM permissions to block. The only valid restriction for a
project is
resourcemanager.projects.delete. - LIEN_REASON
: Human-readable description of why this lien
exists. Put this description within double quotation marks. Example:
"This project is protected by a lien". - LIEN_ORIGIN : String denoting the user or system which originated the lien. It is a required field, but is automatically populated with the user's email address if omitted.
Listing liens on a project
To list all liens applied to a project, use the alpha resource-manager liens list
command.
gcloud
alpha
resource-manager
liens
list
The output is similar to the following:
gcloud
alpha
resource-manager
liens
list
NAME
ORIGIN
REASON
p1061081023732-l3d8032b3-ea2c-4683-ad48-5ca23ddd00e7
user@example.com
testing
Removing liens from a project
To remove a lien from a project, use the alpha resource-manager liens delete
command.
gcloud alpha resource-manager liens delete LIEN_NAME
Replace LIEN_NAME
with the name of the lien to be deleted,
such as p1061081023732-l3d8032b3-ea2c-4683-ad48-5ca23ddd00e7
.
References
API Reference: REST Resource: liens
