1

I was playing around with terraform to create an infrastructure for a couple of services on GCP. GCP organises all the infra in so called projects. I specified a project_id incrorrectly in terraform files(actually I set project_id to already existing in my GCP, but ptoject name was different). Terraform in plan phase was successful, but after apply it failed. Then I executed terraform destroy, set correct project_id(and name), executed terraform apply again, this time successfully. But when I opened the GCP console I saw that actually 2 projects were created in project list(one with correct name and id and another with some random name: smth like My Project 1234 as name and beaming-light-546562 as id). And now gcloud projects list command shows 3 projects(this random one, correct one and previously existing one).

The problem is that I can't remove that "random" project, neither from gcloud utility nor from gcp console. I get an error

<myuser_mail_address> does not have permission to access projects instance or poject doesn't exist

Also that random project is not linked to my billing account.

How can I remove that "random" project

EDIT

It seems strange that the project with id beaming-light-546562 can't be removed by me(the owner of an account) with reasons that I do not have permissions to do that. Also the name of an id: it is similar to technic docker is using for generating names of running containers. I do not recall that terraform has such a feature. Could it be gcp itself who generates such random names?

maks
  • 5,911
  • 17
  • 79
  • 123
  • 1
    what is your role on the organization level or folder level (the folder that contains the project)? you have to have some permissions to list and delete projects (`resourcemanager.projects.list` & `resourcemanager.projects.delete`) – Atef Hares Dec 30 '21 at 00:32
  • @AtefHares in resource manager I see that my projects do not belong to any organization(`No organization` is shown). On that random project i can't view the roles, it says that I don't have permissions to view the permissions. On the other 2 projects I have role owner(I guess this mean that I can do everything with the project) – maks Dec 30 '21 at 01:20
  • When you used terraform to create the random project, did you use some service account or your account to authenticate to GCP? – Atef Hares Dec 30 '21 at 01:28
  • There are a couple of steps to follow after using the terraform destroy command, Refer to the **cleaning up** section of this [documentation](https://cloud.google.com/community/tutorials/managing-gcp-projects-with-terraform) for more information on deleting a project and refer to this [documentation](https://cloud.google.com/billing/docs/how-to/view-linked#view_the_billing_account_linked_to_each_of_your_projects) for the details of the billing account associated with the project. – Goli Nikitha Dec 30 '21 at 12:53
  • @AtefHares I used `gcloud auth application-default login` to authenticate – maks Dec 30 '21 at 14:29
  • @GoliNikitha thanks for the links. I do not have orgasnization set in GCP. Also on those links I didn't find any hints how can I remove aforementioned project from resources list on GCP and from output ofgcloud command. All the recommended steps were made by me – maks Dec 30 '21 at 15:11
  • Did you check the **cleaning up** section of this [document](https://cloud.google.com/community/tutorials/managing-gcp-projects-with-terraform) and tried those steps ? steps are present at the end of the document and Did you get the information of the billing account associated to the project ? – Goli Nikitha Dec 30 '21 at 15:27
  • @GoliNikitha My billing account doesn't contain the project that I'm talking about. Cleanup steps was perfomed: terraform destroy was successful(random project still there), deleting it with `gcloud delete` gives me error that I do not have permission to perform that operation(or that project id doesn't exist). Also I do not have any organizations – maks Dec 30 '21 at 15:35
  • Looks like a potential bug in GCP. Maybe after some time it will be removed(like the projects in pending deletion section in resource manager view) – maks Dec 30 '21 at 15:38
  • 1
    @maks,It seems to be a known issue https://b.corp.google.com/issues/191214686, You might have been added into a project through a group,so it appears in the project list. However,you have not been granted permission to modify the IAM of that project,so you can't remove the group from the permission list. You can find what groups you're a member of in https://groups.google.com/my-groups. NOTE:You can leave the groups in order to lose the access,but there could be a situation where your email is added to a single role/permission and you would not be able to remove yourself from the IAM list. – Goli Nikitha Jan 03 '22 at 07:20
  • @GoliNikitha sorry, which issue?(seems link requires internal google account). – maks Jan 04 '22 at 10:45
  • @GoliNikitha i can confirm that after removing my account from groups that it was in(they were some old groups which i do not track anymore), after some time that "random" project dissapear. Can you please add your comment as answear to the question with description of the mentioned issue? It solved my problem. Then I'll accept it as answear. – maks Jan 04 '22 at 20:29
  • @maks, I have updated my answer with the workaround.Glad it worked!! – Goli Nikitha Jan 06 '22 at 07:09

1 Answers1

2

I tried to recreate the error i.e, I created a sample project(via console) and deleted the same sample project in cloud shell using this command gcloud projects delete <project ID> and again tried to delete the same sample project in cloud shell and got this error message: enter image description here

You can cross verify if the reason listed in the image i.e PROJECT_DELETE_INACTIVE is present in the output of your gcloud projects delete <project ID> command.This means that the project is inactive and the project becomes inactive when it's deleted.

From this document : The project takes approximately 30-days for complete deletion, At the end of the 30-day period, the project and all its resources are deleted and cannot be recovered.

Edit:

It seems to be a known issue with GCP. Leaving “Google Groups” related to GCP is a fix to this issue. You can track this Public Issue for more information.

You might have been added into a project through a group, so it appears in the project list. However, you have not been granted permission to modify the IAM of that project, so you can't remove the group from the permission list.

As a workaround, you can leave "Google Groups" related to GCP and reload the GCP console webpage so that all your unknown/inaccessible projects will disappear from the projects list. You can find what groups you're a member of, using this Google Groups link.

NOTE : You can leave the groups in order to lose the access, but there could be a situation where your email is added to a single role/permission and you would not be able to remove yourself from the IAM list.

Goli Nikitha
  • 858
  • 3
  • 9
  • `ERROR: (gcloud.projects.delete) User [my_email_address] does not have permission to access projects instance [beaming-light-546562] (or it may not exist): The caller does not have permission`. This is full message that is printed when I do `gcloud projects delete beaming-light-546562` (this project id is shown to me when I do `gcloud projects list`). So my error messaage differs a bit from yours – maks Dec 31 '21 at 11:38
  • My main concern is that it is shown in a list of active projects(I assume that command `gcloud projects list` without any flags shows active projects) – maks Dec 31 '21 at 11:40
  • @maks, Go to the **Manage Billing Accounts** page and Select the **My projects** tab. You will see a table that lists all your projects, and the associated billing account name and billing account ID. If a billing account is not linked to a project, in the Billing account column, you will see "Billing is disabled".FYI, Billing accounts are disconnected from the project within one day if the project is deleted. So confirm once if the project is connected to any billing account. – Goli Nikitha Dec 31 '21 at 12:23
  • @maks, Refer this [document](https://cloud.google.com/billing/docs/how-to/view-linked#view_the_billing_account_linked_to_each_of_your_projects) for getting more information on billing account associated with the project.We can't delete the project connected to others billing account, If that is the case then first you need to change the billing account associated to the project to your billing account and then try to delete the project. Refer this [document](https://cloud.google.com/billing/docs/how-to/modify-project#change_the_billing_account_for_a_project) for changing the billing account. – Goli Nikitha Dec 31 '21 at 12:29