Google Cloud Suspended Customer’s Account Three Times, For Three Differentreasons

The founder of a service that manages SSL certificates says Google Cloud has suspended his account three times, without good reason, and recommended not using the G-Cloud for serious workloads.

In a Monday post, Andrew Ayer, founder of SSLMate, explains that his company uses Google Cloud for “testing and experimentation,” but mostly “to enable integrations with our customers’ Google Cloud accounts so that we can publish certificate validation DNS records and discover domain names to monitor on their behalf.”

Google Cloud blunder sinks Australian fund for a week

READ MORE

“We create a service account for each customer under our Google Cloud project, and ask the customer to authorize this service account to access Cloud DNS and Cloud Domains,” Ayer wrote. “When SSLMate needs to access a customer’s Google Cloud account, it impersonates the corresponding service account.”

Ayer said he developed this system based on a suggestion in Google Cloud’s own documentation on how to use cloud APIs. He says it “works really well” and is “both very easy for the customer to configure, and secure: there are no long-lived credentials or confused deputy vulnerabilities.”

When it works.

The first time it broke was in May 2024, when Ayer tried to log in and saw a message stating he had used Google Cloud in a way that violated the company’s policies. His post explains the “super frustrating” effort required to restore access, as Google asked him to provide information that was only accessible if he logged in – while the web giant prevented him from logging in.

Ayer managed to partially restore access, but was then told Google had again restricted his account – this time for a different reason.

Google later restored access.

“I was never told why our account was suspended or what could be done to prevent it from happening again,” he wrote, adding that Google never sent emails notifying him of the suspension. He therefore wrote a health check to warn him if SSLMate’s customer integrations failed.

A couple of weeks ago, in late October, that health check failed because all customer integrations were down as Google had again flagged them as violating its policies. This time, restoration was swift, helped by the fact Ayer had access to information he knew Google support would require to act on his complaints.

Last Friday, Google suspended SSLMate’s account again. Ayer says Google offered a new reason for its actions: A terms of service violation.

He appealed and two days later received “an automated email stating that SSLMate’s access to Google Cloud was now completely suspended.” He shared his story on social media, and Google restored his services.

It gets weirder, because the suspensions didn’t impact all of SSLMate’s customer integrations.

I cannot rely on having a Google account for production use cases

“Incredibly, we have one lucky customer whose integration has continued to work during every suspension, even though it uses a service account in the same suspended project as all the other customer integrations,” Ayer wrote.

He now thinks SSLMate needs to ditch Google Cloud.

“Clearly, I cannot rely on having a Google account for production use cases,” he wrote. “Google has built a complex, unreliable system in which some or all of the following can be suspended: an entire Google account, a Google Cloud Platform account, or individual Google Cloud projects.”

His post outlines a potential workaround for his Google problem by using OpenID Connect (OIDC), but feels the web giant has made that fix “unnecessarily difficult.”

Ayer is frustrated.

“I find this state of affairs unacceptable, because it’s really, really important to move away from long-lived credentials and Google ought to be doing everything possible to encourage more secure alternatives,” he wrote. “Sadly, SSLMate’s current solution of provider-created service accounts is susceptible to arbitrary account suspensions, and OIDC is hampered by an unnecessarily complicated setup process.” ®

Original Source