The founder of SSLMate, a service that manages SSL certificates, has reported that Google Cloud has suspended his account on three separate occasions, citing different reasons each time. This experience has led Andrew Ayer to conclude that he cannot depend on a Google account for serious production workloads.
Ayer detailed his company”s reliance on Google Cloud for testing and experimentation, primarily to facilitate integrations with their customers” Google Cloud accounts. This setup allows SSLMate to publish certificate validation DNS records and monitor domain names on behalf of clients.
In his account, Ayer explained that SSLMate creates a service account for each customer within their Google Cloud project, requiring customer authorization to access Cloud DNS and Cloud Domains. When SSLMate needs to interact with a customer”s Google Cloud account, it impersonates the respective service account. Based on Google Cloud”s own documentation for using cloud APIs, Ayer stated that this system is effective, easy for customers to configure, and secure due to the absence of long-lived credentials or vulnerabilities.
However, issues arose in May 2024, when Ayer attempted to log in only to find that his account had been suspended for allegedly violating Google”s policies. He described the frustrating process of trying to regain access, where Google requested information only obtainable through logging in, which he was unable to do. Although he managed to partially restore access, his account was subsequently restricted again for a different reason, with no clear explanation provided by Google.
Ayer noted that he never received any emails regarding the suspensions, prompting him to develop a health check system to alert him if any customer integrations failed. Unfortunately, this health check recently indicated that all customer integrations were down after Google flagged them once more for policy violations. Fortunately, the restoration process was quicker this time, aided by Ayer”s knowledge of the information Google support would need to address his complaints.
Last Friday, Ayer faced yet another suspension, with Google citing a violation of terms of service. He filed an appeal and received an automated email two days later stating that SSLMate”s access to Google Cloud was completely suspended. After sharing his experience on social media, Google restored his services.
Interestingly, not all of SSLMate”s customer integrations were affected by the suspensions. Ayer pointed out that one specific customer”s integration continued to function despite being part of the same suspended project as the others. This inconsistency has led Ayer to the conclusion that SSLMate should consider abandoning Google Cloud altogether.
Ayer expressed his frustration, stating, “Clearly, I cannot rely on having a Google account for production use cases.” He criticized Google for creating a complex and unreliable system where an entire Google account, a Google Cloud Platform account, or individual projects can be suspended without warning.
In light of these challenges, Ayer has suggested a potential workaround involving OpenID Connect (OIDC) but lamented that the process has been made unnecessarily complicated by Google. He emphasized the importance of moving away from long-lived credentials and called on Google to promote more secure alternatives actively. Ayer concluded that the current solution of provider-created service accounts leaves SSLMate vulnerable to arbitrary account suspensions, with OIDC being hindered by its overly complex setup.
