[elzbardico]

Even if you manage to reach out to Google, I doubt they will do anything like remove your group from those roles. From their POV you could be just trying to social engineer them into removing someone who has legitimate access.

I think you have better chances contacting people in the org who added your group to those roles.

[nocommandline]

Google shouldn't automatically remove you but

1. They should contact the firms involved, make them aware of the situation and then the firms will take a decision on whether to remove or not.

2. They should then look over GCP design and see if there's something that they can do to prevent a reoccurrence of this type of error/mistake

[ethbr0]

I have a similar-but-different problem: a commonly used Gmail address that apparently someone(s) not me was using out in the wild for serious business.

Among other things, I received:

  Interview requests for jobs to which I never applied
  A background screening for a FL sheriff's job
  Legal communications for buying a home
  Business relationship emails
  Account and subscriptions for a variety of services

Relevant point being -- every single one of these counterparties had no idea what to do with me responding "I am not the person who you've been talking with about this. They appear to be using my email. Please ask them to update their email."

It made me realize how shitty most people are at dealing with anything other than business-as-usual.

[nightpool]

Agreed. I know Google is famously hard to get in touch with, but I don't understand how this fall on Google's plate or is really Google's fault at all. Maybe if they shared some more info about what IAM group they created that managed to trick people into adding it Google could create rules to ban group names like that from being created?

[kadoban]

It's Google's fault because there's no "remove me from having access to this" button.

[hackernewds]

if one is conscientious enough to report themselves be removed, they could also simply ignore the access

[kadoban]

There's liability in having access to some random crap, even if you don't intentionally use it.

If something goes wrong, someone accesses or modifies something that they shouldn't have, you having access is going to be at _best_ confusing to everyone. At worst the cops or lawyers will come calling. Sure you'll _probably_ be able to talk them down, but does that sound like fun?

Or what if someone breaks in to _your_ account and accesses that way? Untangling that mess will not be a good time.

[elzbardico]

And let's say those firms are creating some shady stuff like Silk Road. You'd have a hard time explaining to the Feds that you appear as an administrator because of a mistake.