← Back to context

Comment by cj

8 hours ago

Using a Google Workspace Super Admin account for your non-admin day to day needs is similar to using your AWS root account instead of IAM users.

In my experience Google Workspave support is very good. I’ve always been able to get a knowledgeable person on a call to debug issues without much difficulty.

But yea, if you’re locked out of your admin account, that’s another story. Very sjmilar to if you get locked out of your AWS root account. It’s a nightmare to recover.

5 comments

cj

Reply
ValentineC  8 hours ago

> Using a Google Workspace Super Admin account for your non-admin day to day needs is similar to using your AWS root account instead of IAM users.

It sounds like the mistake here is not appointing another Super Admin, and making sure they don't use their account for day to day needs. Or just having two Super Admin accounts controlled by the same person, heh.

I can't see how not using one's Super Admin account wouldn't prevent tripping some kind of fraud lockout that's impossible to recover from.

Randomly, I just remembered that I lost a GCP account because I tried logging in from Laos, and they asked me for the front and back photos of a payment card that I used ages ago that I didn't bother making scans of before it was lost. Urgh.

  • pfooti  6 hours ago

    Make a primary super admin (admin@ whatever) and only log into it for admin purposes. Make an actual user (you@) for day to day line of business work. This has the benefit of making some categories of spear phishing and xsrf attacks harder if the account that gets compromised doesn't have root.

    • ValentineC  6 hours ago

      That's what I've been doing.

      It doesn't address this thread's concern that a single Super Admin could be locked out with no recourse, since Google's customer support is horrendously bad.

e40  6 hours ago

So you're saying for a simple setup of 1 user, you really need to pay for 2 users. The admin account and the real user you want to use, which doubles the cost.

  • cj  5 hours ago

    In an ideal world, 3 users, because you want a backup admin in case your primary admin is lost.

    I don’t love it either, but these are Google’s published best practices / recommendations