Cloudberry Engineering

The Quirks of Apps Script and Google Cloud

Written on gcp gsuite

Using Apps Script for scripting GSuite / Google Workplace will generate Google Cloud Platform (GCP) projects in the background.

While they are hidden by default, they will still show up from the APIs: don’t panic.

What is Apps Script?

Apps Script is the GSuite / Google Workplace scripting environment to create add-ons for Gmail and GSuite services.

You can read more here. I think of it as the GSuite’s Visual Basic.

What’s in sys-1234567890123567890123456?

Google Cloud Projects are a gateway towards Google’s API, because of quotas, authentication and logging facilities. This is, I guess, the essence of the relationship between Apps Script and GCP.

These specific projects follow sys-00000000000000000000000000 (sys- plus 26 numbers) as a name convention and by default will belong in the apps-script Folder.

They are provisioned empty with just a single role binding: appsdev-apps-dev-script-auth@system.gserviceaccount.com. as Owner.

Apps Script GCP Projects Governance

For new GSuite / Google Workplace accounts, Apps Script projects are hidden by default. They do still exist under the Organization hierarchy and they can be seen with the resourcemanager.projects.list permission.

This permission is foundational for any service that needs to build an inventory, such as Forseti, Cartography, etc. And of course App Scripts projects will show up.

While they are empty by default, authorized users can still use them to provision resources and what not, so it’s better to keep an eye on them.

Luckily one can enforce Organization Policies on the apps-script folder to limit the realm of possibilities. Some suggestions:

  • Whitelist allowed APIs
  • Disable service account creation
  • Disable service account key creation
  • Skip default network creation
  • Compute Storage resource use restrictions

But.

If your Gsuite / Google Workplace account is older than April 2019, then all the Apps Script projects are visible and created directly under the Organization root node.

This means that if you want to apply Organization policies, you have to group them under a Folder manually.

In this case it might be easier to set up detections to (at least) monitor the IAM policy and Service Accounts (SA) creations.

Conclusion

Apps Script projects are not a huge security issue but they can become blind spots, expecially because are semi-hidden by default. Restrict with Organization policy if possible and monitor for creation of Service Accounts.