Configure multi-party approval for project liens with Privileged Access Manager

Use this guidance to add additional protections to user-applied project liens on projects that contain backup vaults.

Overview

This guide outlines the method for establishing a structured, multi-party approval process to manage project liens and project deletion. By leveraging the Privileged Access Manager service, your organization can ensure that critical permissions—specifically the ability to remove liens—are granted only temporarily and require explicit approval from a second authorized party.

Phase 1: Prepare Identity and Access Management (IAM) (the lockout)

The goal of this phase is to ensure no unauthorized user has permanent access to modify or delete liens.

Audit existing roles for project lien administration rights:

The basic Owner role (roles/owner) contains the permission resourcemanager.projects.updateLiens (allows removal of project liens) by default.

Recommendation: Ensure users are not assigned the basic Owner role. Instead, assign them the Editor role (which does not have lien removal capabilities) or a custom "Owner-minus-liens" role. Also ensure that users are not assigned the Project lien modifier role, as this role also contains the permission required to remove project liens.

Create the Lien Admin custom role:

  1. In the Google Cloud console, navigate to IAM & Admin > Roles.
  2. Click Create Role.

  3. Configure the role with the following settings (these values are for illustration):

    • Title: Lien Administrator
    • ID: lien_administrator
    • Role Launch Stage: General Availability
    • Permissions: Click "Add Permissions" and search for exactly: resourcemanager.projects.updateLiens.

  4. Click Create.

Phase 2: Configure Privileged Access Manager for multi-party approval (the key)

In this phase, you will configure the Privileged Access Manager to control access to the Lien Admin custom role created in Create the "Lien Admin" custom role.

  1. Navigate to IAM & Admin > Privileged Access Manager. (Ensure Privileged Access Manager is set up if this is your first time using it).

  2. In the Entitlements section, click Create.

    • Name: Enter a descriptive name (e.g., remove-project-lien).
    • Resource: Select the organization, folder (recommended), or specific project where you want this logic to apply.
    • Role: Select the Lien Administrator custom role created in Phase 1.
    • Requester: Select the individual principals or the group of users (e.g., devops-team@company.com) who are allowed to request this permission.

  3. Configure the approval workflow: check the box for Approval required.

    • Approvers: Select the group or users who must approve requests (e.g., team-leads@company.com).
    • Approver count: Set to 1 or more, depending on your policy.

  4. Configure Settings:

    • Max duration: Set to 1 hour (This is typically sufficient to delete a lien, but adjust according to your needs).
    • Justification: Set to Required.

  5. Click Create.

Phase 3: How it works

Once configured, the process for deleting a protected project is as follows:

  1. Request: User A needs to delete a project but is blocked by a lien. They navigate to the Privileged Access Manager console, locate the remove-project-lien entitlement, and click Request Grant.
  2. Approve: User B (the approver) receives a notification/email, reviews the justification (e.g., "Decommissioning project X"), and clicks Approve.

  3. Action: User A is temporarily granted the Lien Administrator role. They can now proceed to delete the lien (thereby enabling subsequent project deletion) using the following commands:

    gcloud alpha resource-manager liens list
gcloud alpha resource-manager liens delete <lien_name>

  4. Cleanup: After the configured duration (e.g., 1 hour), the Lien Admin role is automatically revoked from User A, removing their ability to modify liens.