DEV Community: Cloudsentinel.dev The latest articles on DEV Community by Cloudsentinel.dev (@cloudsentinel_official). https://dev.to/cloudsentinel_official https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2310330%2F8f345a16-61c8-4964-a336-2b2c1ad92732.png DEV Community: Cloudsentinel.dev https://dev.to/cloudsentinel_official en GCP Has No Automatic Kill Switch for Leaked API Keys. Here's What I Built. Cloudsentinel.dev Thu, 30 Apr 2026 09:56:56 +0000 https://dev.to/cloudsentinel_official/gcp-has-no-automatic-kill-switch-for-leaked-api-keys-heres-what-i-built-3680 https://dev.to/cloudsentinel_official/gcp-has-no-automatic-kill-switch-for-leaked-api-keys-heres-what-i-built-3680 <p><em>And what you can do right now to protect yourself — whether you use my tool or not.</em></p> <p>I kept seeing posts like this on Reddit:</p> <blockquote> <p>"Woke up to a $128,000 Google Cloud bill. Key was compromised overnight. Google denied the adjustment request."</p> <p>"3-person startup. Gemini API key silently reauthorized. Normal monthly spend was $180. Bill: $82,314 in 48 hours."</p> <p>"Student. Pushed API key to a private GitHub repo that was accidentally public. Was on summer break. Never saw the alerts. $55,444."</p> </blockquote> <p>I'm a developer building on GCP myself. After reading enough of these, I realized I had zero automatic protection. If one of my keys got leaked tonight, the only thing standing between me and a five-figure bill was:</p> <ol> <li>Hoping I'd see a budget alert email in time</li> <li>Being awake</li> <li>Logging in fast enough</li> <li>Finding the right key</li> <li>Deleting it manually</li> </ol> <p>That's a terrible safety net.</p> <p>So I built <a href="https://cloudsentinel.dev" rel="noopener noreferrer">CloudSentinel</a> — an automatic kill switch for GCP API keys. But this article isn't a pitch. It's an honest walkthrough of the problem, why GCP's existing tools fall short, and what you can do about it — including building your own solution if you prefer.</p> <h2> Why GCP's Built-In Tools Aren't Enough </h2> <h3> Budget alerts lag 4-12 hours </h3> <p>GCP billing data is not real-time. It's aggregated and delivered with a delay. By the time a budget alert fires, the damage is often already done.</p> <p>Here's the timeline of a typical incident:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>00:00 — API key leaks (committed to GitHub, exposed in frontend, etc.) 00:03 — Automated scanners find the key 00:05 — Attacker starts making requests 04:00 — GCP billing data updates 04:30 — Budget alert email arrives 04:31 — You're asleep 08:00 — You wake up and see the email 08:05 — You log in and delete the key 08:05 — Damage: 8 hours of uncontrolled API usage </code></pre> </div> <p>Budget alerts are better than nothing. But they depend on someone being awake, seeing the email, and acting fast enough.</p> <h3> Spend Caps are a blunt instrument </h3> <p>Google recently announced Spend Caps for some services (Gemini, Cloud Run, Maps). Good first step. But:</p> <ul> <li>They pause <strong>all</strong> traffic in your project — not just the abused key</li> <li>Your other keys and services stop working too</li> <li>They're spend-based, not request-based — they trigger after money is already spent</li> <li>They don't cover every GCP API</li> </ul> <p>If you have 5 API keys in a project and one gets compromised, Spend Caps kill all 5. Your app goes down. CloudSentinel revokes only the specific key that crossed the threshold — everything else keeps running.</p> <h3> API key restrictions help but don't stop abuse </h3> <p>You should restrict your API keys to specific APIs and referrers. This is good practice. But:</p> <ul> <li>IP restrictions don't help if the attacker uses the same IP range as your legitimate traffic</li> <li>Referrer restrictions can be spoofed</li> <li>Restrictions don't stop someone who already has the key and knows what APIs it's authorized for</li> </ul> <p>Restrictions reduce the blast radius. They don't eliminate the risk.</p> <h2> What Actually Works: Request Volume Monitoring </h2> <p>The GCP billing system lags. But the <strong>GCP Cloud Monitoring API</strong> doesn't.</p> <p>Specifically, the <code>serviceruntime.googleapis.com/api/request_count</code> metric gives you near-real-time request counts per API key. This is what GCP uses internally. And it's accessible via the <code>timeSeries.list</code> API with just a <code>monitoring.timeSeries.list</code> permission.</p> <p>Here's what a simple poll looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Simplified — real implementation handles auth via service account JWT</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span> <span class="s2">`https://monitoring.googleapis.com/v3/projects/</span><span class="p">${</span><span class="nx">gcpProjectId</span><span class="p">}</span><span class="s2">/timeSeries?`</span> <span class="o">+</span> <span class="s2">`filter=metric.type="serviceruntime.googleapis.com/api/request_count"`</span> <span class="o">+</span> <span class="s2">`&amp;interval.startTime=</span><span class="p">${</span><span class="nx">startTime</span><span class="p">}</span><span class="s2">&amp;interval.endTime=</span><span class="p">${</span><span class="nx">endTime</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="na">Authorization</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">accessToken</span><span class="p">}</span><span class="s2">`</span> <span class="p">}</span> <span class="p">}</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="c1">// data.timeSeries contains request counts per credential_id (API key UID)</span> </code></pre> </div> <p>The response includes <code>metric.labels.credential_id</code> — the unique identifier of the API key. You can map this back to specific keys and compare against thresholds.</p> <p><strong>Key insight:</strong> GCP returns cumulative counts over the requested time window. If you poll every minute with a 24-hour window, you get the total requests for that key today. When that number crosses your threshold, you revoke the key.</p> <h2> How to Build Your Own (DIY Version) </h2> <p>If you want to build this yourself, here's the minimal architecture:</p> <h3> Step 1: Create a minimal IAM role </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud iam roles create my_api_monitor <span class="se">\</span> <span class="nt">--project</span><span class="o">=</span>YOUR_PROJECT <span class="se">\</span> <span class="nt">--title</span><span class="o">=</span><span class="s2">"API Key Monitor"</span> <span class="se">\</span> <span class="nt">--permissions</span><span class="o">=</span>apikeys.keys.delete,apikeys.keys.get,apikeys.keys.list,monitoring.timeSeries.list </code></pre> </div> <p>This is all you need. No owner role. No billing access. No editor permissions.</p> <h3> Step 2: Poll the monitoring API </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">google.oauth2</span> <span class="kn">import</span> <span class="n">service_account</span> <span class="kn">from</span> <span class="n">googleapiclient.discovery</span> <span class="kn">import</span> <span class="n">build</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span><span class="p">,</span> <span class="n">timedelta</span><span class="p">,</span> <span class="n">timezone</span> <span class="k">def</span> <span class="nf">get_request_counts</span><span class="p">(</span><span class="n">project_id</span><span class="p">,</span> <span class="n">credentials</span><span class="p">):</span> <span class="n">service</span> <span class="o">=</span> <span class="nf">build</span><span class="p">(</span><span class="sh">'</span><span class="s">monitoring</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">v3</span><span class="sh">'</span><span class="p">,</span> <span class="n">credentials</span><span class="o">=</span><span class="n">credentials</span><span class="p">)</span> <span class="n">end_time</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">(</span><span class="n">timezone</span><span class="p">.</span><span class="n">utc</span><span class="p">)</span> <span class="n">start_time</span> <span class="o">=</span> <span class="n">end_time</span> <span class="o">-</span> <span class="nf">timedelta</span><span class="p">(</span><span class="n">hours</span><span class="o">=</span><span class="mi">24</span><span class="p">)</span> <span class="n">result</span> <span class="o">=</span> <span class="n">service</span><span class="p">.</span><span class="nf">projects</span><span class="p">().</span><span class="nf">timeSeries</span><span class="p">().</span><span class="nf">list</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sa">f</span><span class="sh">'</span><span class="s">projects/</span><span class="si">{</span><span class="n">project_id</span><span class="si">}</span><span class="sh">'</span><span class="p">,</span> <span class="nb">filter</span><span class="o">=</span><span class="sh">'</span><span class="s">metric.type=</span><span class="sh">"</span><span class="s">serviceruntime.googleapis.com/api/request_count</span><span class="sh">"'</span><span class="p">,</span> <span class="o">**</span><span class="p">{</span> <span class="sh">'</span><span class="s">interval.startTime</span><span class="sh">'</span><span class="p">:</span> <span class="n">start_time</span><span class="p">.</span><span class="nf">isoformat</span><span class="p">(),</span> <span class="sh">'</span><span class="s">interval.endTime</span><span class="sh">'</span><span class="p">:</span> <span class="n">end_time</span><span class="p">.</span><span class="nf">isoformat</span><span class="p">(),</span> <span class="sh">'</span><span class="s">aggregation.alignmentPeriod</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">86400s</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">aggregation.perSeriesAligner</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">ALIGN_SUM</span><span class="sh">'</span> <span class="p">}</span> <span class="p">).</span><span class="nf">execute</span><span class="p">()</span> <span class="n">counts</span> <span class="o">=</span> <span class="p">{}</span> <span class="k">for</span> <span class="n">series</span> <span class="ow">in</span> <span class="n">result</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">timeSeries</span><span class="sh">'</span><span class="p">,</span> <span class="p">[]):</span> <span class="n">credential_id</span> <span class="o">=</span> <span class="n">series</span><span class="p">[</span><span class="sh">'</span><span class="s">metric</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">labels</span><span class="sh">'</span><span class="p">].</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">credential_id</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="n">credential_id</span> <span class="ow">and</span> <span class="n">series</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">points</span><span class="sh">'</span><span class="p">):</span> <span class="n">counts</span><span class="p">[</span><span class="n">credential_id</span><span class="p">]</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span> <span class="n">series</span><span class="p">[</span><span class="sh">'</span><span class="s">points</span><span class="sh">'</span><span class="p">][</span><span class="mi">0</span><span class="p">][</span><span class="sh">'</span><span class="s">value</span><span class="sh">'</span><span class="p">].</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">int64Value</span><span class="sh">'</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="p">)</span> <span class="k">return</span> <span class="n">counts</span> </code></pre> </div> <h3> Step 3: Evaluate thresholds </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">check_and_revoke</span><span class="p">(</span><span class="n">project_id</span><span class="p">,</span> <span class="n">monitored_keys</span><span class="p">,</span> <span class="n">request_counts</span><span class="p">,</span> <span class="n">credentials</span><span class="p">):</span> <span class="n">apikeys_service</span> <span class="o">=</span> <span class="nf">build</span><span class="p">(</span><span class="sh">'</span><span class="s">apikeys</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">v2</span><span class="sh">'</span><span class="p">,</span> <span class="n">credentials</span><span class="o">=</span><span class="n">credentials</span><span class="p">)</span> <span class="k">for</span> <span class="n">key</span> <span class="ow">in</span> <span class="n">monitored_keys</span><span class="p">:</span> <span class="n">credential_id</span> <span class="o">=</span> <span class="n">key</span><span class="p">[</span><span class="sh">'</span><span class="s">credential_id</span><span class="sh">'</span><span class="p">]</span> <span class="n">threshold</span> <span class="o">=</span> <span class="n">key</span><span class="p">[</span><span class="sh">'</span><span class="s">threshold</span><span class="sh">'</span><span class="p">]</span> <span class="n">current_count</span> <span class="o">=</span> <span class="n">request_counts</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">credential_id</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="k">if</span> <span class="n">current_count</span> <span class="o">&gt;</span> <span class="n">threshold</span><span class="p">:</span> <span class="c1"># Revoke the key </span> <span class="n">apikeys_service</span><span class="p">.</span><span class="nf">projects</span><span class="p">().</span><span class="nf">locations</span><span class="p">().</span><span class="nf">keys</span><span class="p">().</span><span class="nf">delete</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="n">key</span><span class="p">[</span><span class="sh">'</span><span class="s">resource_name</span><span class="sh">'</span><span class="p">]</span> <span class="p">).</span><span class="nf">execute</span><span class="p">()</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Revoked </span><span class="si">{</span><span class="n">key</span><span class="p">[</span><span class="sh">'</span><span class="s">display_name</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">: </span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">current_count</span><span class="si">}</span><span class="s"> requests &gt; threshold </span><span class="si">{</span><span class="n">threshold</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Send alert (email, Slack, etc.) </span> <span class="nf">send_alert</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">current_count</span><span class="p">,</span> <span class="n">threshold</span><span class="p">)</span> </code></pre> </div> <h3> Step 4: Run it on a schedule </h3> <p>On a Cloud Run job, a cron on a cheap VM, or any scheduler:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Cloud Scheduler → Cloud Run job every minute</span> <span class="c"># Or a simple cron:</span> <span class="k">*</span> <span class="k">*</span> <span class="k">*</span> <span class="k">*</span> <span class="k">*</span> python3 /opt/api-monitor/check_keys.py </code></pre> </div> <p>That's the core of it. The full implementation adds:</p> <ul> <li>Deduplication (don't revoke the same key twice)</li> <li>Retry logic for GCP API failures</li> <li>Proper JWT auth for service accounts</li> <li>Storage for monitored keys and thresholds</li> <li>Email notifications</li> </ul> <h2> The Gotchas I Hit Building This </h2> <h3> 1. Permission casing matters </h3> <p><code>monitoring.timeSeries.list</code> — capital <strong>S</strong> in timeSeries. I spent an embarrassing amount of time getting 403 errors because I wrote <code>monitoring.timeseries.list</code>. GCP is case-sensitive here.</p> <h3> 2. GCP doesn't return zero-count keys </h3> <p>If a key has zero requests in the time window, it doesn't appear in the timeSeries response at all. Your polling logic needs to handle this — keys with no data have zero requests, not missing data.</p> <h3> 3. Billing vs monitoring delay </h3> <p>Billing data lags 4-12 hours. Monitoring data lags 3-5 minutes. If you're using Cloud Monitoring (not billing), your detection is much faster. Always use the monitoring API, not billing data, for real-time detection.</p> <h3> 4. Cumulative vs delta counts </h3> <p>The API returns cumulative counts over the requested time window. Don't subtract consecutive polls to get deltas — just compare the total against your daily/hourly threshold directly.</p> <h3> 5. GCP alerting policies add too much latency </h3> <p>I initially tried using GCP alerting policies + pub/sub + Cloud Functions. The additional latency from alerting policy evaluation added 15-25 minutes on top of the 3-5 minute metric delay. Direct polling is faster and simpler.</p> <h2> What I Actually Built </h2> <p>After going through all of the above myself, I packaged it into <a href="https://cloudsentinel.dev" rel="noopener noreferrer">CloudSentinel</a> — a hosted version with a dashboard, per-key thresholds, and automatic revocation.</p> <p>The setup is one gcloud command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud config <span class="nb">set </span>project YOUR_PROJECT <span class="o">&amp;&amp;</span> <span class="se">\</span> gcloud services <span class="nb">enable </span>apikeys.googleapis.com monitoring.googleapis.com <span class="se">\</span> <span class="nt">--project</span><span class="o">=</span>YOUR_PROJECT <span class="nt">--quiet</span> <span class="o">&amp;&amp;</span> <span class="se">\</span> gcloud iam roles create cloudsentinel_XXXXXXXX <span class="se">\</span> <span class="nt">--project</span><span class="o">=</span>YOUR_PROJECT <span class="se">\</span> <span class="nt">--title</span><span class="o">=</span><span class="s2">"CloudSentinel Monitor"</span> <span class="se">\</span> <span class="nt">--permissions</span><span class="o">=</span>apikeys.keys.delete,apikeys.keys.get,apikeys.keys.list,monitoring.timeSeries.list <span class="se">\</span> <span class="nt">--quiet</span> <span class="o">&amp;&amp;</span> <span class="se">\</span> gcloud projects add-iam-policy-binding YOUR_PROJECT <span class="se">\</span> <span class="nt">--member</span><span class="o">=</span><span class="s2">"serviceAccount:cloudsentinel@cloudsentinel-dev.iam.gserviceaccount.com"</span> <span class="se">\</span> <span class="nt">--role</span><span class="o">=</span><span class="s2">"projects/YOUR_PROJECT/roles/cloudsentinel_XXXXXXXX"</span> <span class="se">\</span> <span class="nt">--condition</span><span class="o">=</span>None <span class="nt">--quiet</span> </code></pre> </div> <p>It's early — I launched last week. 14-day free trial, no credit card. If you'd rather build your own using the code above, that's completely fine too — that's exactly what this article is for.</p> <h2> What You Should Do Right Now </h2> <p>Whether you use CloudSentinel or build your own, here's the minimum you should have in place for any GCP project with API keys:</p> <p><strong>1. Restrict your API keys</strong><br> In GCP Console → APIs &amp; Services → Credentials → edit each key:</p> <ul> <li>Restrict to specific APIs only</li> <li>Add referrer/IP restrictions where possible</li> </ul> <p><strong>2. Set a budget alert</strong><br> Not a replacement for monitoring, but a backstop. Set it at 50% of your expected monthly spend so you get early warning.</p> <p><strong>3. Never commit API keys to code</strong><br> Use Secret Manager or environment variables. Add <code>.env</code> to <code>.gitignore</code>. Use <code>git-secrets</code> or <code>gitleaks</code> as a pre-commit hook.</p> <p><strong>4. Audit who has access to your GCP project</strong><br> Go to IAM → check every member and role. Remove anything you don't recognize.</p> <p><strong>5. Monitor request volume</strong><br> Either build the script above, use CloudSentinel, or set up a Cloud Monitoring alert on <code>serviceruntime.googleapis.com/api/request_count</code>. Any of these is better than nothing.</p> <h2> Final Thought </h2> <p>The developers who lost $55K, $82K, $128K weren't careless. They were building, shipping, and learning. API key leaks happen to good engineers. The gap is that GCP gives you alerts but no automatic response.</p> <p>A budget alert tells you your house is on fire. CloudSentinel (or your own version of it) calls the fire department automatically.</p> <p>Set up some form of automatic protection before you need it. The setup takes 5 minutes. The regret takes longer.</p> <p><em>I'm David, one of the founders of CloudSentinel. If you have questions about the GCP monitoring API, the IAM setup, or anything in this article — drop a comment. Happy to help whether or not you use our tool.</em></p> <p><em><a href="https://cloudsentinel.dev" rel="noopener noreferrer">CloudSentinel</a> — automatic GCP API key revocation. 14-day free trial, no credit card required.</em></p> gcp googlecloud security ai GCP Has No Automatic Kill Switch for Leaked API Keys. Here's What I Built. Cloudsentinel.dev Thu, 30 Apr 2026 09:51:43 +0000 https://dev.to/cloudsentinel_official/gcp-has-no-automatic-kill-switch-for-leaked-api-keys-heres-what-i-built-44nh https://dev.to/cloudsentinel_official/gcp-has-no-automatic-kill-switch-for-leaked-api-keys-heres-what-i-built-44nh <p><em>And what you can do right now to protect yourself — whether you use my tool or not.</em></p> <p>I kept seeing posts like this on Reddit:</p> <blockquote> <p>"Woke up to a $128,000 Google Cloud bill. Key was compromised overnight. Google denied the adjustment request."</p> <p>"3-person startup. Gemini API key silently reauthorized. Normal monthly spend was $180. Bill: $82,314 in 48 hours."</p> <p>"Student. Pushed API key to a private GitHub repo that was accidentally public. Was on summer break. Never saw the alerts. $55,444."</p> </blockquote> <p>I'm a developer building on GCP myself. After reading enough of these, I realized I had zero automatic protection. If one of my keys got leaked tonight, the only thing standing between me and a five-figure bill was:</p> <ol> <li>Hoping I'd see a budget alert email in time</li> <li>Being awake</li> <li>Logging in fast enough</li> <li>Finding the right key</li> <li>Deleting it manually</li> </ol> <p>That's a terrible safety net.</p> <p>So I built <a href="https://cloudsentinel.dev" rel="noopener noreferrer">CloudSentinel</a> — an automatic kill switch for GCP API keys. But this article isn't a pitch. It's an honest walkthrough of the problem, why GCP's existing tools fall short, and what you can do about it — including building your own solution if you prefer.</p> <h2> Why GCP's Built-In Tools Aren't Enough </h2> <h3> Budget alerts lag 4-12 hours </h3> <p>GCP billing data is not real-time. It's aggregated and delivered with a delay. By the time a budget alert fires, the damage is often already done.</p> <p>Here's the timeline of a typical incident:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>00:00 — API key leaks (committed to GitHub, exposed in frontend, etc.) 00:03 — Automated scanners find the key 00:05 — Attacker starts making requests 04:00 — GCP billing data updates 04:30 — Budget alert email arrives 04:31 — You're asleep 08:00 — You wake up and see the email 08:05 — You log in and delete the key 08:05 — Damage: 8 hours of uncontrolled API usage </code></pre> </div> <p>Budget alerts are better than nothing. But they depend on someone being awake, seeing the email, and acting fast enough.</p> <h3> Spend Caps are a blunt instrument </h3> <p>Google recently announced Spend Caps for some services (Gemini, Cloud Run, Maps). Good first step. But:</p> <ul> <li>They pause <strong>all</strong> traffic in your project — not just the abused key</li> <li>Your other keys and services stop working too</li> <li>They're spend-based, not request-based — they trigger after money is already spent</li> <li>They don't cover every GCP API</li> </ul> <p>If you have 5 API keys in a project and one gets compromised, Spend Caps kill all 5. Your app goes down. CloudSentinel revokes only the specific key that crossed the threshold — everything else keeps running.</p> <h3> API key restrictions help but don't stop abuse </h3> <p>You should restrict your API keys to specific APIs and referrers. This is good practice. But:</p> <ul> <li>IP restrictions don't help if the attacker uses the same IP range as your legitimate traffic</li> <li>Referrer restrictions can be spoofed</li> <li>Restrictions don't stop someone who already has the key and knows what APIs it's authorized for</li> </ul> <p>Restrictions reduce the blast radius. They don't eliminate the risk.</p> <h2> What Actually Works: Request Volume Monitoring </h2> <p>The GCP billing system lags. But the <strong>GCP Cloud Monitoring API</strong> doesn't.</p> <p>Specifically, the <code>serviceruntime.googleapis.com/api/request_count</code> metric gives you near-real-time request counts per API key. This is what GCP uses internally. And it's accessible via the <code>timeSeries.list</code> API with just a <code>monitoring.timeSeries.list</code> permission.</p> <p>Here's what a simple poll looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Simplified — real implementation handles auth via service account JWT</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span> <span class="s2">`https://monitoring.googleapis.com/v3/projects/</span><span class="p">${</span><span class="nx">gcpProjectId</span><span class="p">}</span><span class="s2">/timeSeries?`</span> <span class="o">+</span> <span class="s2">`filter=metric.type="serviceruntime.googleapis.com/api/request_count"`</span> <span class="o">+</span> <span class="s2">`&amp;interval.startTime=</span><span class="p">${</span><span class="nx">startTime</span><span class="p">}</span><span class="s2">&amp;interval.endTime=</span><span class="p">${</span><span class="nx">endTime</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="na">Authorization</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">accessToken</span><span class="p">}</span><span class="s2">`</span> <span class="p">}</span> <span class="p">}</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="c1">// data.timeSeries contains request counts per credential_id (API key UID)</span> </code></pre> </div> <p>The response includes <code>metric.labels.credential_id</code> — the unique identifier of the API key. You can map this back to specific keys and compare against thresholds.</p> <p><strong>Key insight:</strong> GCP returns cumulative counts over the requested time window. If you poll every minute with a 24-hour window, you get the total requests for that key today. When that number crosses your threshold, you revoke the key.</p> <h2> How to Build Your Own (DIY Version) </h2> <p>If you want to build this yourself, here's the minimal architecture:</p> <h3> Step 1: Create a minimal IAM role </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud iam roles create my_api_monitor <span class="se">\</span> <span class="nt">--project</span><span class="o">=</span>YOUR_PROJECT <span class="se">\</span> <span class="nt">--title</span><span class="o">=</span><span class="s2">"API Key Monitor"</span> <span class="se">\</span> <span class="nt">--permissions</span><span class="o">=</span>apikeys.keys.delete,apikeys.keys.get,apikeys.keys.list,monitoring.timeSeries.list </code></pre> </div> <p>This is all you need. No owner role. No billing access. No editor permissions.</p> <h3> Step 2: Poll the monitoring API </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">google.oauth2</span> <span class="kn">import</span> <span class="n">service_account</span> <span class="kn">from</span> <span class="n">googleapiclient.discovery</span> <span class="kn">import</span> <span class="n">build</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span><span class="p">,</span> <span class="n">timedelta</span><span class="p">,</span> <span class="n">timezone</span> <span class="k">def</span> <span class="nf">get_request_counts</span><span class="p">(</span><span class="n">project_id</span><span class="p">,</span> <span class="n">credentials</span><span class="p">):</span> <span class="n">service</span> <span class="o">=</span> <span class="nf">build</span><span class="p">(</span><span class="sh">'</span><span class="s">monitoring</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">v3</span><span class="sh">'</span><span class="p">,</span> <span class="n">credentials</span><span class="o">=</span><span class="n">credentials</span><span class="p">)</span> <span class="n">end_time</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">(</span><span class="n">timezone</span><span class="p">.</span><span class="n">utc</span><span class="p">)</span> <span class="n">start_time</span> <span class="o">=</span> <span class="n">end_time</span> <span class="o">-</span> <span class="nf">timedelta</span><span class="p">(</span><span class="n">hours</span><span class="o">=</span><span class="mi">24</span><span class="p">)</span> <span class="n">result</span> <span class="o">=</span> <span class="n">service</span><span class="p">.</span><span class="nf">projects</span><span class="p">().</span><span class="nf">timeSeries</span><span class="p">().</span><span class="nf">list</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sa">f</span><span class="sh">'</span><span class="s">projects/</span><span class="si">{</span><span class="n">project_id</span><span class="si">}</span><span class="sh">'</span><span class="p">,</span> <span class="nb">filter</span><span class="o">=</span><span class="sh">'</span><span class="s">metric.type=</span><span class="sh">"</span><span class="s">serviceruntime.googleapis.com/api/request_count</span><span class="sh">"'</span><span class="p">,</span> <span class="o">**</span><span class="p">{</span> <span class="sh">'</span><span class="s">interval.startTime</span><span class="sh">'</span><span class="p">:</span> <span class="n">start_time</span><span class="p">.</span><span class="nf">isoformat</span><span class="p">(),</span> <span class="sh">'</span><span class="s">interval.endTime</span><span class="sh">'</span><span class="p">:</span> <span class="n">end_time</span><span class="p">.</span><span class="nf">isoformat</span><span class="p">(),</span> <span class="sh">'</span><span class="s">aggregation.alignmentPeriod</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">86400s</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">aggregation.perSeriesAligner</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">ALIGN_SUM</span><span class="sh">'</span> <span class="p">}</span> <span class="p">).</span><span class="nf">execute</span><span class="p">()</span> <span class="n">counts</span> <span class="o">=</span> <span class="p">{}</span> <span class="k">for</span> <span class="n">series</span> <span class="ow">in</span> <span class="n">result</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">timeSeries</span><span class="sh">'</span><span class="p">,</span> <span class="p">[]):</span> <span class="n">credential_id</span> <span class="o">=</span> <span class="n">series</span><span class="p">[</span><span class="sh">'</span><span class="s">metric</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">labels</span><span class="sh">'</span><span class="p">].</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">credential_id</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="n">credential_id</span> <span class="ow">and</span> <span class="n">series</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">points</span><span class="sh">'</span><span class="p">):</span> <span class="n">counts</span><span class="p">[</span><span class="n">credential_id</span><span class="p">]</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span> <span class="n">series</span><span class="p">[</span><span class="sh">'</span><span class="s">points</span><span class="sh">'</span><span class="p">][</span><span class="mi">0</span><span class="p">][</span><span class="sh">'</span><span class="s">value</span><span class="sh">'</span><span class="p">].</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">int64Value</span><span class="sh">'</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="p">)</span> <span class="k">return</span> <span class="n">counts</span> </code></pre> </div> <h3> Step 3: Evaluate thresholds </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">check_and_revoke</span><span class="p">(</span><span class="n">project_id</span><span class="p">,</span> <span class="n">monitored_keys</span><span class="p">,</span> <span class="n">request_counts</span><span class="p">,</span> <span class="n">credentials</span><span class="p">):</span> <span class="n">apikeys_service</span> <span class="o">=</span> <span class="nf">build</span><span class="p">(</span><span class="sh">'</span><span class="s">apikeys</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">v2</span><span class="sh">'</span><span class="p">,</span> <span class="n">credentials</span><span class="o">=</span><span class="n">credentials</span><span class="p">)</span> <span class="k">for</span> <span class="n">key</span> <span class="ow">in</span> <span class="n">monitored_keys</span><span class="p">:</span> <span class="n">credential_id</span> <span class="o">=</span> <span class="n">key</span><span class="p">[</span><span class="sh">'</span><span class="s">credential_id</span><span class="sh">'</span><span class="p">]</span> <span class="n">threshold</span> <span class="o">=</span> <span class="n">key</span><span class="p">[</span><span class="sh">'</span><span class="s">threshold</span><span class="sh">'</span><span class="p">]</span> <span class="n">current_count</span> <span class="o">=</span> <span class="n">request_counts</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">credential_id</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="k">if</span> <span class="n">current_count</span> <span class="o">&gt;</span> <span class="n">threshold</span><span class="p">:</span> <span class="c1"># Revoke the key </span> <span class="n">apikeys_service</span><span class="p">.</span><span class="nf">projects</span><span class="p">().</span><span class="nf">locations</span><span class="p">().</span><span class="nf">keys</span><span class="p">().</span><span class="nf">delete</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="n">key</span><span class="p">[</span><span class="sh">'</span><span class="s">resource_name</span><span class="sh">'</span><span class="p">]</span> <span class="p">).</span><span class="nf">execute</span><span class="p">()</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Revoked </span><span class="si">{</span><span class="n">key</span><span class="p">[</span><span class="sh">'</span><span class="s">display_name</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">: </span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">current_count</span><span class="si">}</span><span class="s"> requests &gt; threshold </span><span class="si">{</span><span class="n">threshold</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Send alert (email, Slack, etc.) </span> <span class="nf">send_alert</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">current_count</span><span class="p">,</span> <span class="n">threshold</span><span class="p">)</span> </code></pre> </div> <h3> Step 4: Run it on a schedule </h3> <p>On a Cloud Run job, a cron on a cheap VM, or any scheduler:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Cloud Scheduler → Cloud Run job every minute</span> <span class="c"># Or a simple cron:</span> <span class="k">*</span> <span class="k">*</span> <span class="k">*</span> <span class="k">*</span> <span class="k">*</span> python3 /opt/api-monitor/check_keys.py </code></pre> </div> <p>That's the core of it. The full implementation adds:</p> <ul> <li>Deduplication (don't revoke the same key twice)</li> <li>Retry logic for GCP API failures</li> <li>Proper JWT auth for service accounts</li> <li>Storage for monitored keys and thresholds</li> <li>Email notifications</li> </ul> <h2> The Gotchas I Hit Building This </h2> <h3> 1. Permission casing matters </h3> <p><code>monitoring.timeSeries.list</code> — capital <strong>S</strong> in timeSeries. I spent an embarrassing amount of time getting 403 errors because I wrote <code>monitoring.timeseries.list</code>. GCP is case-sensitive here.</p> <h3> 2. GCP doesn't return zero-count keys </h3> <p>If a key has zero requests in the time window, it doesn't appear in the timeSeries response at all. Your polling logic needs to handle this — keys with no data have zero requests, not missing data.</p> <h3> 3. Billing vs monitoring delay </h3> <p>Billing data lags 4-12 hours. Monitoring data lags 3-5 minutes. If you're using Cloud Monitoring (not billing), your detection is much faster. Always use the monitoring API, not billing data, for real-time detection.</p> <h3> 4. Cumulative vs delta counts </h3> <p>The API returns cumulative counts over the requested time window. Don't subtract consecutive polls to get deltas — just compare the total against your daily/hourly threshold directly.</p> <h3> 5. GCP alerting policies add too much latency </h3> <p>I initially tried using GCP alerting policies + pub/sub + Cloud Functions. The additional latency from alerting policy evaluation added 15-25 minutes on top of the 3-5 minute metric delay. Direct polling is faster and simpler.</p> <h2> What I Actually Built </h2> <p>After going through all of the above myself, I packaged it into <a href="https://cloudsentinel.dev" rel="noopener noreferrer">CloudSentinel</a> — a hosted version with a dashboard, per-key thresholds, and automatic revocation.</p> <p>The setup is one gcloud command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud config <span class="nb">set </span>project YOUR_PROJECT <span class="o">&amp;&amp;</span> <span class="se">\</span> gcloud services <span class="nb">enable </span>apikeys.googleapis.com monitoring.googleapis.com <span class="se">\</span> <span class="nt">--project</span><span class="o">=</span>YOUR_PROJECT <span class="nt">--quiet</span> <span class="o">&amp;&amp;</span> <span class="se">\</span> gcloud iam roles create cloudsentinel_XXXXXXXX <span class="se">\</span> <span class="nt">--project</span><span class="o">=</span>YOUR_PROJECT <span class="se">\</span> <span class="nt">--title</span><span class="o">=</span><span class="s2">"CloudSentinel Monitor"</span> <span class="se">\</span> <span class="nt">--permissions</span><span class="o">=</span>apikeys.keys.delete,apikeys.keys.get,apikeys.keys.list,monitoring.timeSeries.list <span class="se">\</span> <span class="nt">--quiet</span> <span class="o">&amp;&amp;</span> <span class="se">\</span> gcloud projects add-iam-policy-binding YOUR_PROJECT <span class="se">\</span> <span class="nt">--member</span><span class="o">=</span><span class="s2">"serviceAccount:cloudsentinel@cloudsentinel-dev.iam.gserviceaccount.com"</span> <span class="se">\</span> <span class="nt">--role</span><span class="o">=</span><span class="s2">"projects/YOUR_PROJECT/roles/cloudsentinel_XXXXXXXX"</span> <span class="se">\</span> <span class="nt">--condition</span><span class="o">=</span>None <span class="nt">--quiet</span> </code></pre> </div> <p>It's early — I launched last week. 14-day free trial, no credit card. If you'd rather build your own using the code above, that's completely fine too — that's exactly what this article is for.</p> <h2> What You Should Do Right Now </h2> <p>Whether you use CloudSentinel or build your own, here's the minimum you should have in place for any GCP project with API keys:</p> <p><strong>1. Restrict your API keys</strong><br> In GCP Console → APIs &amp; Services → Credentials → edit each key:</p> <ul> <li>Restrict to specific APIs only</li> <li>Add referrer/IP restrictions where possible</li> </ul> <p><strong>2. Set a budget alert</strong><br> Not a replacement for monitoring, but a backstop. Set it at 50% of your expected monthly spend so you get early warning.</p> <p><strong>3. Never commit API keys to code</strong><br> Use Secret Manager or environment variables. Add <code>.env</code> to <code>.gitignore</code>. Use <code>git-secrets</code> or <code>gitleaks</code> as a pre-commit hook.</p> <p><strong>4. Audit who has access to your GCP project</strong><br> Go to IAM → check every member and role. Remove anything you don't recognize.</p> <p><strong>5. Monitor request volume</strong><br> Either build the script above, use CloudSentinel, or set up a Cloud Monitoring alert on <code>serviceruntime.googleapis.com/api/request_count</code>. Any of these is better than nothing.</p> <h2> Final Thought </h2> <p>The developers who lost $55K, $82K, $128K weren't careless. They were building, shipping, and learning. API key leaks happen to good engineers. The gap is that GCP gives you alerts but no automatic response.</p> <p>A budget alert tells you your house is on fire. CloudSentinel (or your own version of it) calls the fire department automatically.</p> <p>Set up some form of automatic protection before you need it. The setup takes 5 minutes. The regret takes longer.</p> <p><em>I'm David, one of the founders of CloudSentinel. If you have questions about the GCP monitoring API, the IAM setup, or anything in this article — drop a comment. Happy to help whether or not you use our tool.</em></p> <p><em><a href="https://cloudsentinel.dev" rel="noopener noreferrer">CloudSentinel</a> — automatic GCP API key revocation. 14-day free trial, no credit card required.</em></p> gcp googlecloud security devops