Experience leads company boss to decide ‘I cannot rely on having a Google account for production use cases’
The founder of a service that manages SSL certificates says Google Cloud has suspended his account three times, without good reason, and recommended not using the G-Cloud for serious workloads.
In a Monday post, Andrew Ayer, founder of SSLMate, explains that his company uses Google Cloud for “testing and experimentation,” but mostly “to enable integrations with our customers’ Google Cloud accounts so that we can publish certificate validation DNS records and discover domain names to monitor on their behalf.”
Google Cloud blunder sinks Australian fund for a week
“We create a service account for each customer under our Google Cloud project, and ask the customer to authorize this service account to access Cloud DNS and Cloud Domains,” Ayer wrote. “When SSLMate needs to access a customer’s Google Cloud account, it impersonates the corresponding service account.”
Ayer said he developed this system based on a suggestion in Google Cloud’s own documentation on how to use cloud APIs. He says it “works really well” and is “both very easy for the customer to configure, and secure: there are no long-lived credentials or confused deputy vulnerabilities.”
Also Read: CIO Influence Interview with Jim Dolce, CEO of Lookout
When it works.
The first time it broke was in May 2024, when Ayer tried to log in and saw a message stating he had used Google Cloud in a way that violated the company’s policies. His post explains the “super frustrating” effort required to restore access, as Google asked him to provide information that was only accessible if he logged in – while the web giant prevented him from logging in.
Google later restored access.
“I was never told why our account was suspended or what could be done to prevent it from happening again,” he wrote, adding that Google never sent emails notifying him of the suspension. He therefore wrote a health check to warn him if SSLMate’s customer integrations failed.
- Google yanks Gemma after US senator says model ‘hallucinated’ her committing crimes
- Google parent company spending like a drunken sailor as capex triples over 2 years
- Google says reports of a Gmail breach have been greatly exaggerated
- Google unmasks itself as mystery hyperscaler behind yet another UK datacenter
A couple of weeks ago, in late October, that health check failed because all customer integrations were down as Google had again flagged them as violating its policies. This time, restoration was swift, helped by the fact Ayer had access to information he knew Google support would require to act on his complaints.
Last Friday, Google suspended SSLMate’s account again. Ayer says Google offered a new reason for its actions: A terms of service violation.
He appealed and two days later received “an automated email stating that SSLMate’s access to Google Cloud was now completely suspended.” He shared his story on social media, and Google restored his services.
It gets weirder, because the suspensions didn’t impact all of SSLMate’s customer integrations.
I cannot rely on having a Google account for production use cases
“Incredibly, we have one lucky customer whose integration has continued to work during every suspension, even though it uses a service account in the same suspended project as all the other customer integrations,” Ayer wrote.
He now thinks SSLMate needs to ditch Google Cloud.
“Clearly, I cannot rely on having a Google account for production use cases,” he wrote. “Google has built a complex, unreliable system in which some or all of the following can be suspended: an entire Google account, a Google Cloud Platform account, or individual Google Cloud projects.”
His post outlines a potential workaround for his Google problem by using OpenID Connect (OIDC), but feels the web giant has made that fix “unnecessarily difficult.”
Ayer is frustrated.
“I find this state of affairs unacceptable, because it’s really, really important to move away from long-lived credentials and Google ought to be doing everything possible to encourage more secure alternatives,” he wrote. “Sadly, SSLMate’s current solution of provider-created service accounts is susceptible to arbitrary account suspensions, and OIDC is hampered by an unnecessarily complicated setup process.” ®
Catch more CIO Insights: The Password Paradox: Why Human Psychology Makes Us Our Own Worst Enemy
[To share your insights with us as part of editorial or sponsored content, please write to ughosh@itechseries.com]
