Ownership transfer checklist

newtogcp

Hi

I recently took ownership of a gcp project. Earlier owner had financial troubles and I was looking to build in the space. So he handed over the project assets to me. All the resources were in forbidden stage when I opened the resources(VMs, Storage etc). I added my cc and now lights are on. I can see the infra and login with the earlier created keys.

I'm new to GCP infra. I mostly run infra on-prem(I can feel the weird looks already). I'm evaluating whether to keep this project on gcp or not. So, I'm going by the basis to start with. On the first look, I'm worried that the earlier owner's account is everywhere. Compute access, networking admin, and another 11000 permissions. This is unmanageble and I'm certain this is not a sound setup. I dont know what will fail if I remove access to this account. So, I need to go step by step, if there is a playbook to this.

So dear community,

Are there any checklists to taking over a project? What are the security aspects to think of before removing an old owner's account in the project?

I really appreciate your guidance. I'm new to the cloud world, so any guidance would be deeply appreciated.

reinc

Hi @newtogcp,

Welcome to Google Cloud Community!

Seeing 11,000 permissions for that account strongly suggests it has the Owner role (officially roles/owner). Think of this as GCP's top-level administrative access, including permissions for every service and action available within that project.

Here are the guides that may help:

1. Verify your own Access

Go to “IAM & Admin > IAM” Ensure your account has an Owner role. If you are not the owner, add it. You may check about Granting, changing and revoking access to resources and to understand about roles and permissions which can see what Editor or Viewer can do in IAM Roles.

2. Review Service Account

Check if any service account keys were created by the old owner or are associated with their activity. You may check this Best practices for working the service account.

3. Utilize Security Command Center

Check if your Security Command Center was enabled. This helps you strengthen your security posture, identifying misconfiguration and possible data risk.

4. Set Up Logging and Alerting

You may set up alerts for critical IAM changes, error logs, suspicious API activities. You may check this Log-based alerting for more information.

Note: Do not rush removing the old owner's account, it's crucial to understand that this can disrupt critical services and automation on your project. The recommended path forward is to first migrate any responsibilities/roles or dependencies from the old owner's account to dedicated service accounts.

If you have any questions and clarification please reach out to our Google Cloud Support team for help to identify correct roles and permission.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.