News: 1762241292

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Google Cloud suspended customer's account three times, for three different reasons

(2025/11/04)


The founder of a service that manages SSL certificates says Google Cloud has suspended his account three times, without good reason, and recommended not using the G-Cloud for serious workloads.

In a Monday [1]post , Andrew Ayer, founder of SSLMate, explains that his company uses Google Cloud for “testing and experimentation,” but mostly “to enable integrations with our customers' Google Cloud accounts so that we can publish certificate validation DNS records and discover domain names to monitor on their behalf.”

Google Cloud blunder sinks Australian fund for a week [2]READ MORE

“We create a service account for each customer under our Google Cloud project, and ask the customer to authorize this service account to access Cloud DNS and Cloud Domains,” Ayer wrote. “When SSLMate needs to access a customer's Google Cloud account, it impersonates the corresponding service account.”

Ayer said he developed this system based on a suggestion in Google Cloud’s own [3]documentation on how to use cloud APIs. He says it “works really well” and is “both very easy for the customer to configure, and secure: there are no long-lived credentials or confused deputy vulnerabilities.”

When it works.

[4]

The first time it broke was in May 2024, when Ayer tried to log in and saw a message stating he had used Google Cloud in a way that violated the company’s policies. His post explains the “super frustrating” effort required to restore access, as Google asked him to provide information that was only accessible if he logged in – while the web giant prevented him from logging in.

[5]

[6]

Ayer managed to partially restore access, but was then told Google had again restricted his account – this time for a different reason.

Google later restored access.

[7]

“I was never told why our account was suspended or what could be done to prevent it from happening again,” he wrote, adding that Google never sent emails notifying him of the suspension. He therefore wrote a health check to warn him if SSLMate’s customer integrations failed.

[8]Google yanks Gemma after US senator says model ‘hallucinated’ her committing crimes

[9]Google parent company spending like a drunken sailor as capex triples over 2 years

[10]Google says reports of a Gmail breach have been greatly exaggerated

[11]Google unmasks itself as mystery hyperscaler behind yet another UK datacenter

A couple of weeks ago, in late October, that health check failed because all customer integrations were down as Google had again flagged them as violating its policies. This time, restoration was swift, helped by the fact Ayer had access to information he knew Google support would require to act on his complaints.

Last Friday, Google suspended SSLMate’s account again. Ayer says Google offered a new reason for its actions: A terms of service violation.

He appealed and two days later received “an automated email stating that SSLMate's access to Google Cloud was now completely suspended.” He shared his story on social media, and Google restored his services.

It gets weirder, because the suspensions didn’t impact all of SSLMate’s customer integrations.

I cannot rely on having a Google account for production use cases

“Incredibly, we have one lucky customer whose integration has continued to work during every suspension, even though it uses a service account in the same suspended project as all the other customer integrations,” Ayer wrote.

He now thinks SSLMate needs to ditch Google Cloud.

[12]

“Clearly, I cannot rely on having a Google account for production use cases,” he wrote. “Google has built a complex, unreliable system in which some or all of the following can be suspended: an entire Google account, a Google Cloud Platform account, or individual Google Cloud projects.”

His post outlines a potential workaround for his Google problem by using OpenID Connect (OIDC), but feels the web giant has made that fix “unnecessarily difficult.”

Ayer is frustrated.

“I find this state of affairs unacceptable, because it's really, really important to move away from long-lived credentials and Google ought to be doing everything possible to encourage more secure alternatives,” he wrote. “Sadly, SSLMate's current solution of provider-created service accounts is susceptible to arbitrary account suspensions, and OIDC is hampered by an unnecessarily complicated setup process.” ®

Get our [13]Tech Resources



[1] https://www.agwa.name/blog/post/google_suspended_sslmates_cloud_account_again

[2] https://www.theregister.com/2024/05/08/google_cloud_misconfiguration_takes_australian/

[3] https://support.google.com/cloud/answer/13463817?sjid=3625613075585023337-NA#zippy=%2Chow-can-i-access-data-from-my-users-google-cloud-project-using-cloud-apis

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offprem/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aQncxxC6JDRJmtF5MO8uCAAAABc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offprem/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aQncxxC6JDRJmtF5MO8uCAAAABc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offprem/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aQncxxC6JDRJmtF5MO8uCAAAABc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offprem/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aQncxxC6JDRJmtF5MO8uCAAAABc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[8] https://www.theregister.com/2025/11/03/google_pulls_gemma_from_ai_studio/

[9] https://www.theregister.com/2025/10/30/alphabet_capex/

[10] https://www.theregister.com/2025/10/28/gmail_breach_fake_news/

[11] https://www.theregister.com/2025/09/16/google_hertfordshire_datacenter/

[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offprem/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aQncxxC6JDRJmtF5MO8uCAAAABc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[13] https://whitepapers.theregister.com/


The problem is simple

Pascal Monett

Google doesn't like other people making money off its back.

The money goes to Google. If it doesn't, your account is suspended.

When it does, in its magnificence, Google might decide to throw you a few pennies.

...and water is wet

Anonymous Coward

Google's reputation in this area is well established.

Remember the meme: 'The cloud is just someone else's computer'

You want full control, host or Colo your own platform.

I don't even trust Google with basic email

Andy Non

A few years ago I foolishly explored the idea of having a Gmail account as my primary email account. It didn't go well. I like all my emails stored locally so set up POP3 access as documented by Google so I could send and receive email locally via Thunderbird. I sent and received a few email tests without problem ... and a few hours later google suspended my account for "suspicious activity". So that was the end of that.

Re: I don't even trust Google with basic email

FirstTangoInParis

I wonder if that’s because it likes customers to leave their private going’s-on on their servers so Gemini can have a good look through them. But even long ago they would unhelpfully try to categorise emails as important and a bit junky. Having said that, their anti-spam filters are the best around by a country mile.

"He now thinks SSLMate needs to ditch Google Cloud."

Bebu sa Ware

Presumably on the three strikes principle.

Curious if Alphabet offers a similar (ie competing) service through one of its subsidary acquisitions ?

You can be certain such sharp business practices are perfectly legal in USofA and de rigeur.

Ignore what I saw

PCScreenOnly

Makes me laugh when their own documentaiton says "you can do this, that the other", or "to do this, you configure like this" and then they say you are breaking whatever silly decision today

If you do not want anyone to utilise it, then don't document it for people to read, understand and then implement.

If he is using undocumented methods / API calls, fair enough

Doctor Syntax

Consider the size discrepancy between your own company and those you're choosing as suppliers. If they're sufficiently bigger than yours that your custom is insignificant to them then expect to receive bad service.

Anonymous Coward

I set up a Google account to log into my company’s developer portal for the Play store. I only logged in the once to check it worked, but within 28 days the account was suspended. I appealed and the appeal was rejected. At no time was I told what I had supposedly done. Now they just ignore me.

I hate that company with a passion.

Peterson's Rules:
(1) Trucks that overturn on freeways are filled with something sticky.
(2) No cute baby in a carriage is ever a girl when called one.
(3) Things that tick are not always clocks.
(4) Suicide only works when you're bluffing.