If Google sent you an alert, laud them and demand your $300 back?
I always wish you could kill switch a billing alert on any cloud service - so if it goes above my prescribed limit just take it offline
> human oversight is still crucial, especially for security
always always always: code review everything AI makes (CREAM)
it also helps if you understand what it’s writing. the only way to do that is to… review the code
You learned the wrong lesson.
You should never specify API keys anywhere in your code or env files for GCP or AWS.
https://cloud.google.com/docs/authentication/application-def...
You still risk checking in your env file.
Doing it the correct way, your config is in your home directory locally far away from your repo and it finds the configuration automatically when running on GCP.
Even better when developing locally is assign environment variables to temporary access keys.
I’m being handwavy because I’m not a GCP guy. But on AWS, you do something similar by using “aws config” locally and using the IAM role attached to the VM, Lambda, etc so you never need to deploy with access keys.
This isn’t meant to be an “AWS does it better comment”. It looks like from my brief research, something similar is also best practice with GCP.
Kind of a nothing burger post.
I uploaded my API key to a public repository
I learned not to do this.
Never upload your API key to a public repository.
Ok.
I hate API keys. We need to get rid of them. Everyone who can influence this ... please do.
The alternative? JWT or suchlike. Authenticate each session with zero trust.
At big corp work everything is Okta / JWT / Yubikey etc. Very very occasionally an API key.
Talking about hardcoded api keys, what’s the usual approach when dealing with a mobile app that talks to an api? Users don’t need auth to use the app (they do login via an alphanumeric code they get via marketing). I only know how to do this properly via auth flows (user inputs username + passwd, then app calls the api for a user jwt, the app then uses the jwt in subsequent calls). I don’t think using this flow makes sense when the user “logins” via a simple alphanumeric code (which is of length 5 and anyone could guess)