How to name (Google) Cloud projects (IDs) without disclosing information but keeping them suitable for daily use?

Question

I've checked in with similar questions like

– [SO] advice for naming GCP projects [closed]

– [SO] Best practice for production and test environments in Google App Engine

– [SO] What's the risk in using project-id in GCS bucket names?

and also Googles documentation on naming projects

but my question remains:

How can I name projects (IDs) in a useful way such that I can easily remember them when using them for API calls/CLIs/whatever without having to look them up all the time because in order to not disclose any information they are e.g. named spectacular-failure-51427 instead of org-project-env?

For anyone new to the issue. GCP project IDs have to be globally unique for anyone using the platform. Therefore you can check whether a project (ID) already exists by trying to create one with the corresponding ID (e.g. company-super-secret-project) and leverage this in order to derive information from and about existing projects/companies/cooperations/etc. or identify high value (data) targets.

Answer 1

Using encoded names is always a good way to go. They are easy to remember, and easy to link them with what you are doing.

If you want to have your own namespace, I would start populating by "org name", or an abbreviation of it. After it, your encoded name (take animals, plants, cities...), and then, as a good practice, the stage: (dev, stg, prod...).

There is no unique answer to your question, tho. You will have to create your own way around this issue.

Answer 2

You probably want to use company-super_secret_project as the project ID, or at least have that project ID locked for your use.

Not having ownership of that project ID opens up the possibility of anybody else to create that project ID if the internal project name is leaked any other way. This is dangerous considering service accounts include the project ID, so it would be easier to do some phishing if somebody else grabs that project ID.

Furthermore, if your company usually uses the format company-not_so_secret_project, having anybody else using company-super_secret_project would give them credibility during any phishing attack.

Since you'll need to have that project ID locked, it'll mean your the main concern (leaking information about the existence of super_secret_project) will happen, regardless if that's the project used during development or not.

However, the fact that anyone can create that project ID muddies the waters regarding how relevant is that information. As an example, I could go right now and create a project with the ID valve-half-life-3 and start claiming that Half-Life 3 has been confirmed.

In summary, considering this "attack" is a brute-force one (you have to try all the suspected project IDs in order to confirm their existence), and the information gained is quite irrelevant (that project ID could have been created by anyone), I don't think using the real project name should be a concern.