惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

V
Visual Studio Blog
C
CERT Recently Published Vulnerability Notes
雷峰网
雷峰网
美团技术团队
L
LangChain Blog
Google DeepMind News
Google DeepMind News
博客园 - 【当耐特】
I
InfoQ
www.infosecurity-magazine.com
www.infosecurity-magazine.com
J
Java Code Geeks
B
Blog
博客园 - 三生石上(FineUI控件)
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
S
Secure Thoughts
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
博客园_首页
博客园 - Franky
Apple Machine Learning Research
Apple Machine Learning Research
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
GbyAI
GbyAI
TaoSecurity Blog
TaoSecurity Blog
N
Netflix TechBlog - Medium
H
Heimdal Security Blog
T
Troy Hunt's Blog
N
News and Events Feed by Topic
V2EX - 技术
V2EX - 技术
腾讯CDC
Forbes - Security
Forbes - Security
P
Privacy & Cybersecurity Law Blog
I
Intezer
Hacker News - Newest:
Hacker News - Newest: "LLM"
Y
Y Combinator Blog
The Register - Security
The Register - Security
Martin Fowler
Martin Fowler
Hugging Face - Blog
Hugging Face - Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Blog — PlanetScale
Blog — PlanetScale
L
Lohrmann on Cybersecurity
Security Latest
Security Latest
AWS News Blog
AWS News Blog
Scott Helme
Scott Helme
Webroot Blog
Webroot Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
MongoDB | Blog
MongoDB | Blog
Vercel News
Vercel News
Engineering at Meta
Engineering at Meta
大猫的无限游戏
大猫的无限游戏
A
Arctic Wolf
S
Security Affairs
P
Privacy International News Feed

Hacker News: Show HN

PurrrrrFocus: Pomodoro Timer App - App Store Workflow Engine — Multi-Step Orchestration for Bun RapidPhoto: Pro Photo Editor App - App Store GitHub - DheerG/swarms: Achieve extraordinary results with claude code across a variety of tasks SPICE simulation → oscilloscope → verification with Claude Code — Lucas Gerads Show HN: VCoding – A 5 MB native Windows IDE with no dynamic dependencies Show HN: LLMs don't hallucinate because they're bad at math, it's the format GitHub - Agent-FM/agentfm-core: AgentFM is a peer-to-peer network that turns everyday computers into a decentralized AI supercomputer. AgentFM lets you run massive AI workloads directly across a global mesh of idle CPUs and GPUs. Show HN: Tracking Top US Science Olympiad Alumni over Last 25 Years GitHub - Potarix/agent-hub: One place to talk to all your agents Show HN: Runtime security for AI agents(injection,tool abuse, data exfiltration) GitHub - dubeyKartikay/lazyspotify: Terminal Spotify client for macOS and Linux GitHub - the-banana-tool/king-louie: Easy to use GUI Personal AI Assistant. Win/Linux/Mac. Show HN I made my vacation rental bookable by AI agents–no Airbnb, 0% commission GitHub - basteez/jsf-autoreload: maven plugin to enable hot reload on jsf projects uvm32/hosts/host-gdbstub at main · ringtailsoftware/uvm32 GitHub - labsai/EDDI: Config-driven engine that turns JSON into production-grade AI agents. Multi-agent orchestration, 12+ LLM providers, MCP/A2A protocols, RAG, persistent memory, and enterprise compliance (EU AI Act, GDPR, HIPAA). Built on Quarkus. GitHub - glitchnsec/fortyone-oss: AI Executive Assistant Platform Quickstart | Alien GitHub - muxshed/shed: One stream in, or many. Every destination, simultaneously. No cloud middleman, no per-channel fees, no limits. GitHub - ocrbase-hq/ocrbase: 📄 PDF/IMG ->.MD/JSON Document OCR API for PaddleOCR and GLMOCR. Self-hostable. GitHub - impactjo/home-memory: MCP server that lets your AI assistant remember everything about your home. GitHub - Sets88/dbcls: DbCls is a powerful terminal database client that supports various databases GitHub - neptun2000/heor-agent-mcp GitHub - SeanFDZ/macmind: Single-layer transformer in HyperTalk for the classic Macintosh RollQuation: Math Puzzles - Apps on Google Play GitHub - dropbox/witchcraft Show HN: Agent-cache – Multi-tier LLM/tool/session caching for Valkey and Redis GitHub - opentalon/opentalon: OpenTalon is an open-source platform built from the ground up in Go as a robust alternative to OpenClaw LinkedIn™ 职位抓取工具 - Chrome 应用商店 GitHub - EdoardoBambini/Agent-Armor-Iaga: AI agents are getting tool access — shell, file system, databases, APIs, secrets. But **nobody is governing what they actually do with it**. Frameworks like LangChain, CrewAI, AutoGen, and Claude Code give agents the power to execute. Agent Armor gives you the power to control, audit, and approve every single action before it happens. HN Vibes — Week 15, Apr 7–13 2026 GitHub - chojs23/ec: Easy terminal-native 3-way git mergetool vim-like workflow GitHub - SethPyle376/hiraeth: Local AWS emulator focused on fast integration testing, with SQS support, SQLite-backed state, and a debug-friendly web UI. GitHub - JakOb-dotcom/cloud-sandbox-security-analysis: Technical analysis and Proof of Concept (PoC) regarding environment variable exfiltration in containerized cloud sandboxes via side-channel data leaks. Springboards - Flint Alpha Show HN: A simpler coding agent harness GitHub - audiodude/sudomake-friends GitHub - 256thFission/mini-mythos: OSS clone of Anthropic’s Mythos harness to locate C/C++ memory vulnerabilities Show HN: OpenParallax: OS-level privilege separation for AI agent execution Hacker News Sorted - Chrome 应用商店 Show HN: How to Install Docker on Ubuntu 24.04 LTS: Complete 2026 Guide GitHub - himanshudongre/smriti GitHub - sverrirsig/claude-control: macOS desktop dashboard for monitoring and managing multiple Claude Code sessions GitHub - ory/dockertest: Write better integration tests! Dockertest helps you boot up ephermal docker images for your Go tests with minimal work. Chiral - Chrome 应用商店 Show HN: Two Claudes collaborating through shared memory on a $100 mini-PC GitHub - pmichaillat/latex-cv: Minimalist LaTeX template for academic CVs GitHub - oguzbilgic/posse: A web UI for Anthropic Managed Agents. GitHub - sshiraz/depsly: Dependency risk analysis tool for npm packages ABI Add safari/agent-harness — Safari browser automation via safari-mcp by achiya-automation · Pull Request #212 · HKUDS/CLI-Anything GitHub - Halfblood-Prince/trustcheck: Verify PyPI package attestations and improve Python supply-chain security GitHub - oguzbilgic/kern-ai: Agents that do the work and show it. GitHub - bruits/satteri: High-performance Markdown and MDX processing for the JavaScript ecosystem GitHub - tylergibbs1/feedstock: High-performance web crawler and scraper for TypeScript, powered by Bun and Playwright GitHub - Grimm67123/grimmbot: The self-improving sandboxed and open-source AI agent. With persistent memory and scheduling. GitHub - whitevanillaskies/whitebloom: Local whiteboard that blooms. GitHub - hwdsl2/docker-whisper: Docker image for a self-hosted Whisper speech-to-text server with speaker diarization and OpenAI-compatible transcription and translation APIs. Powered by faster-whisper. Supports all Whisper models, NVIDIA GPU (CUDA) acceleration, JSON/SRT/VTT output, SSE streaming, offline mode, and multi-arch (amd64, arm64). GitHub - yisding/reviewwiggum GitHub - MarwanAlsoltany/serrors: Structured errors for Go: sentinel hierarchies, typed data, custom formatting, and slog integration. GitHub - soatok/age-php GitHub - Luthiraa/markitme GitHub - stagas/rtdiff: realtime git diff gui and AI-assisted commits GitHub - tombedor/excalicharts GitHub - wh1le/excalidraw-edit: Open and edit .excalidraw files from the terminal. Offline, auto-saves to disk. MalExt Sentry - Malicious Extension Scanner - Chrome 应用商店 GitHub - syi0808/asciianimesvg: Generate animated ASCII art SVGs from text. CLI, Rust library, WASM, and web editor. GitHub - zaina-ml/ml_forge: A visual-based graph node editor for training computer vision models. GitHub - anakin87/llm-rl-environments-lil-course: 🌱 A little course on Reinforcement Learning Environments for evaluating and training Language Models GitHub - takaakit/superpowers-uml: Superpowers-UML modifies Superpowers to ensure a software development workflow in which AI agents design through UML modeling. AdriByte Studio - Sviluppo Web e Soluzioni Digitali GitHub - chouligi/angel-copilot: Your personalized Angel Investment Advisor Show HN: MoodSense AI (ML and FastAPI and Gradio, Deployed on Hugging Face) Moodsense Ai - a Hugging Face Space by aman179102 GitHub - agenteractai/lodmem: Level Of Detail Context Management for Agents GitHub - ostefani/subnetlens: A fast, concurrent network scanner with a TUI and plain-text CLI, built in Go. It discovers live hosts on your network, scans their open ports, resolves hostnames, and fingerprints operating systems—delivered. Cyber Pulse: Agentic Intel - Apps on Google Play Whisper API: Self-Hostable Speech to Text Transcription The Agent-Web Protocol Stack: A Research Thesis GitHub - msmarkgu/RelayFreeLLM: A restful API designed to route user prompts to various AI model providers. Show HN: Provepy – A Python decorator that proves your code using Lean and LLMs Show HN: Pardonned.com – A searchable database of US Pardons GitHub - patrickdappollonio/dux: Dux is a terminal UI that lets you run multiple AI coding agents side by side, each in its own git worktree, with full companion terminals, macros, commit generation, and a command palette that knows more tricks than you do. kMC Crystal Simulator Show HN: HyperFlow – A self-improving agent framework built on LangGraph GitHub - stef41/vibescore: 🎵 Grade your vibe-coded project. One command, instant letter grade across security, quality, dependencies, and testing. GitHub - stef41/lmscan: 🔍 Detect AI-generated text and fingerprint which LLM wrote it. Open-source GPTZero alternative. Zero dependencies, works offline. imgur.com GitHub - visionscaper/collabmem: Enabling long-term collaboration with Agentic AI - building up episodic and world model memory over time with in-context awareness 在 Steam 上购买 FriedrichAI: Offline AI 立省 10% GitHub - atripati/ark: AI Runtime Kernel — a context operating system for AI agents. Eliminates tool bloat, loads only what’s needed, and gives LLMs their reasoning space back. GitHub - nowork-studio/toprank: Open-source Claude Code skills for SEO, SEM, Google Ads GitHub - tacomanator/sash: Lightweight macOS menu bar app for reliably cycling through windows of the current application. Appents | Social Media Management for Product-First Teams GitHub - pnhoang/youtube-spam-blocker: Automatically detects and hides spam messages in YouTube Live chat. Set rate limits, keyword filters, and block repeat offenders. GitHub - decisionnode/DecisionNode: CLI + Local MCP - A shared structured memory store across Claude Code, Cursor, Windsurf, Antigravity, and every MCP client. Semantically queryable. GitHub - AvaCodeSolutions/django-email-learning: An open source Django app for creating email-based learning platforms with IMAP integration and React frontend components. The $100K Gap in Kubernetes Security Tooling Function Calling Harness: From 6.75% to 100%
API 密钥管理和安全性  |  Google Codelabs
minherz · 2026-06-23 · via Hacker News: Show HN
跳至主要内容

1. 简介

过去,在其他方法不可用或被认为不方便时,Google API 密钥用于访问 Google API。热门用例包括访问 Google 地图 API 和 Firebase 公开的 Google API。随着 AI 模型、Gemini 等 AI 智能体、AI Studio 和智能体开发套件等代理开发框架的推出,API 密钥已成为访问 Google 大语言模型的主要方法。

API 密钥提供的保护级别较低。虽然 Google Cloud 提供了多种方法来防止密钥被滥用,但拥有有效的 API 密钥即可访问 Google API,而无需进行任何额外的身份验证或授权验证。有关限制 API 密钥使用的方法,请参阅文档。Cloud 博客中有关保护 Gemini 和 Google API 密钥的帖子提供了有关 API 密钥维护的其他建议。在此 Codelab 中,您将实践这些建议。

您将执行的操作

  • 查看在 Google Cloud 上创建新 API 密钥时强制执行的限制
  • 编目您的所有 API 密钥,并找出未受安全保护的密钥
  • 根据现有 API 密钥的使用情况强制执行限制
  • 定义在出现异常使用情况时删除密钥的自动化流程

所需条件

  • 新版网络浏览器(例如 Chrome)。
  • Google 账号

2. 设置

本 Codelab 中的说明假定您在 Google Cloud 控制台的 Cloud Shell 中运行命令。如果您在本地环境中安装了 gcloud CLI,则可以在本地环境中运行这些命令。

虽然可以使用 Cloud 控制台界面完成这些步骤中的操作,但方法有所不同。此 Codelab 使用命令行界面来简化互动,并更轻松地与现代 AI 智能体(例如 Antigravity CLI)集成。

启动 Cloud Shell 终端

  1. 在新浏览器窗口中使用 https://console.cloud.google.com/ 打开 Google Cloud 控制台。建议使用 Chrome 以获得最佳用户体验。
  2. 在 Google Cloud 中登录您的 Google 账号。
  3. 点击 Google Cloud 控制台顶部的激活 Cloud Shell “激活 Cloud Shell”图标
    如果显示,请在弹出的窗口中执行以下操作:
    • 继续完成 Cloud Shell 信息窗口中的设置。
    • 授权 Cloud Shell 使用您的凭据进行 Google Cloud API 调用。

选择 Google Cloud 项目

打开 Cloud 控制台后,系统会验证您的身份,并且通常会显示一个项目选择器供您选择项目。项目 ID 是一个包含 6 到 30 个字符的序列,由小写字母、数字和短划线符号组成,例如 qwiklabs-gcp-04-3075fc9fd77f。Cloud Shell 终端会使用所选项目配置 gcloud CLI。您将看到类似于以下内容的输出:

Your Cloud Platform project in this session is set to qwiklabs-gcp-04-3075fc9fd77f

这意味着,您后续向 gcloud 发出的命令将使用项目 ID qwiklabs-gcp-04-3075fc9fd77f

将项目 ID 设置为环境变量 PROJECT_ID。您可以使用以下命令查看所有项目的列表:

gcloud projects list
  • 如果您想使用与 gcloud 中配置的项目 ID 不同的项目 ID,请替换 your-project-id 并运行该命令。
    export PROJECT_ID="your-project-id"
    
    例如:
    export PROJECT_ID="qwiklabs-gcp-04-3075fc9fd77f"
    
  • 如果您想使用所选项目 ID,请运行以下命令:
    export PROJECT_ID=$(gcloud config get project)
    

3. 限制新的 API 密钥

过去,用户可以创建完全不受限制的 API 密钥。不受限制的密钥可用于调用创建该密钥的项目中启用的任何 Google API。虽然 Google Cloud 控制台会阻止用户创建不受限的密钥,但用户仍可以使用 gcloud CLI 或直接 API 调用来创建不受限的密钥。

以下步骤展示了如何创建受限 API 密钥,以限制其只能用于特定 API 和指定网站。

  1. 如需创建仅限用于 Google Map 地理定位 API 的新 API 密钥,请在 shell 终端中运行以下命令:
    gcloud services api-keys create --key-id=restricted-api-key \
      --display-name="restricted api key" \
      --api-target=service=geolocation.googleapis.com \
      --project=${PROJECT_ID}
    
    此命令会创建一个新的 API 密钥,该密钥只能用于调用 Google 地理定位服务。
  2. 添加应用限制可提高密钥安全性。将密钥的使用范围限制为仅限网站 example.com 中的所有路径。运行以下命令,将应用限制添加到密钥:
    gcloud services api-keys update restricted-api-key \
      --location=global \
      --allowed-referrers="example.com/*" \
      --project=${PROJECT_ID}
    
    您可以不将密钥的使用范围限制为特定网站,而是使用 --allowed-application 定义允许的 Android 应用allowed-ips 定义允许的 IP 地址。如需查看所有选项,请参阅完整的文档

清理

除非您打算使用自己创建的 API 密钥,否则请将其删除:

gcloud services api-keys delete --key-id=restricted-api-key \
  --project=${PROJECT_ID}

4. 编目 API 密钥

在此步骤中,您将使用 gcloud CLI 获取 API 密钥清单。生成的列表会显示您有权访问的所有有效(未删除)API 密钥。

  1. 运行以下命令可查看所有密钥名称、ID 和创建日期:
    gcloud services api-keys list --project=${PROJECT_ID} \
      --format='value(displayName,name.basename(),createTime.date())'
    
    输出将显示密钥的人类可读名称、密钥 ID 和密钥创建日期。它类似于以下内容:
    api key 1	api-key-1	2024-05-10T07:53:24
    api key 2	api-key-2	2025-06-12T14:47:57
    
  2. 选择一个密钥 ID,然后粘贴以下命令以检查该密钥是否受到任何限制。将 your-key-id 替换为所选密钥 ID 的值:
    gcloud services api-keys describe "your-key-id" --project=${PROJECT_ID}
    

输出(采用 YAML 格式)将在 restrictions 下包含一个限制列表。

createTime: '2024-05-10T07:53:24.986528Z'
displayName: api key 1
etag: W/"u1WuY41K2tPKUZd7cfLoKg=="
name: projects/123456789012/locations/global/keys/api-key-1
restrictions:
  apiTargets:
  - service: geolocation.googleapis.com
  browserKeyRestrictions:
    allowedReferrers:
    - https://example.com/*
uid: 1a2b3c4d-1234-abcd-1234-a1b2c3d4e5f6
updateTime: '2024-05-10T07:53:24.071228Z'

请注意,如果密钥从未更新,则 createTimeupdateTime 字段将具有相同的时间戳。

  1. 下载并运行该脚本,该脚本会遍历您的所有项目,并输出未设置限制的所有 API 密钥:
    curl -fsSL -o unrestricted_api_keys.sh \
      "https://github.com/GoogleCloudPlatform/devrel-demos/blob/main/security/api-key-audit/unrestricted_api_keys.sh"
    chmod +x unrestricted_api_keys.sh
    ./unrestricted_api_keys.sh
    
    运行脚本后,您将看到如下格式的输出:
    DISPLAY NAME    KEY ID    PROJECT ID    CREATION DATE
    Key 1    1a2b3c4d-1234-abcd-1234-a1b2c3d4e5f6    my-project-1    2024-05-10T07:53:24.071228Z
    
    您可以在 GitHub 上 devrel-demos 代码库的 Security 文件夹中找到此 Codelab 中使用的所有脚本。

5. 了解 API 密钥的使用情况

在此步骤中,您将查询 Google Cloud 指标,以帮助您了解哪些 API 是使用您的 API 密钥调用的。借助此信息,您可以查看密钥的当前使用情况,并根据实际信息为密钥应用 API 限制,而不是猜测。

  1. 使用您在上一步中使用的相同密钥 ID,或选择其他密钥 ID。在以下命令中,将 your-key-id 替换为所选的密钥 ID:
    export KEY_UID=$(
       gcloud services api-keys describe "your-key-id" \
       --format='value(uid)' \
       --project=${PROJECT_ID})
    
  2. 将搜索范围设置为回溯一年的使用情况历史记录。如果您想查找更长或更短时间段内的信息,请将 365(天数)替换为其他正数。
    export DAYS=365
    
  3. 刷新应用默认凭据 (ADC),以直接调用 Cloud Monitoring API。运行以下命令,并按照终端中的说明操作:
    gcloud auth application-default login
    
  4. 运行以下命令,向 Cloud Monitoring API 发送服务使用情况指标数据请求:
curl -s -G -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
  --data-urlencode "filter=metric.type=\"serviceruntime.googleapis.com/api/request_count\" AND resource.labels.credential_id=\"apikey:${KEY_UID}\"" \
  --data-urlencode "interval.startTime=$(date -u -d "${DAYS} days ago" +%Y-%m-%dT%H:%M:%SZ)" \
  --data-urlencode "interval.endTime=$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
  "https://monitoring.googleapis.com/v3/projects/${PROJECT_ID}/timeSeries" \
  | jq -r '.timeSeries[]?.resource.labels.service' | sort -u

该命令会查询 serviceruntime/api/request_count 内置指标,以获取标签 credential_id 与所选 API 密钥唯一 ID 匹配的数据点。然后,它会检索 service 标签的值,并在消除重复项的同时打印这些值。

API 密钥安全加固

在此步骤中,您将使用之前步骤中收集的信息,根据使用情况信息更新 API 密钥的限制配置。

您将使用上一步中使用的同一 API 密钥。如有必要,请重新运行上一步中的说明,以确保已设置环境变量 PROJECT_IDKEY_UIDDAYS

  1. 运行以下命令,以检索使用 API 密钥调用的 Google API 的列表:

SERVICES=$(curl -s -G -H "Authorization: Bearer $(gcloud auth application-default print-access-token)"
–data-urlencode "filter=metric.type="serviceruntime.googleapis.com/api/request_count" AND resource.labels.credential_id="apikey:${KEY_UID}""
–data-urlencode "interval.startTime=$(date -u -d "${DAYS} days ago" +%Y-%m-%dT%H:%M:%SZ)"
–data-urlencode "interval.endTime=$(date -u +%Y-%m-%dT%H:%M:%SZ)"
"https://monitoring.googleapis.com/v3/projects/${PROJECT_ID}/timeSeries"
| jq -r ‘.timeSeries[]?.resource.labels.service' | sort -u)

1. Build the list of arguments to restrict the API usage for the API key based
on the retrieved list.

```shell
API_TARGET_ARGS=()
for SERVICE in $SERVICES; do
  API_TARGET_ARGS+=("--api-target=service=${SERVICE}")
done
  1. 替换非空列表的受限 API 列表:
    if [ ${#API_TARGET_ARGS[@]} -gt 0 ]; then
        gcloud services api-keys update "projects/${PROJECT_ID}/locations/global/keys/${KEY_UID}" \
        ${API_TARGET_ARGS}
    fi
    

6. 定义异常使用情况检测

之前的步骤介绍了如何探索和强化 API 密钥。此步骤介绍了如何借助监控提醒自动响应密钥使用量的意外高峰。

以下说明将创建一个提醒,当使用 API 密钥的 API 调用速率比过去 5 分钟增加 10% 以上时,系统会触发该提醒。系统已配置提醒,以触发 Cloud Build 脚本来删除 API 密钥,防止进一步使用。您可以在接下来的 30 天内恢复密钥。如需了解如何恢复密钥,请参阅文档

这些说明会重复使用您在前面步骤中使用的变量 PROJECT_IDKEY_UID。如果您想选择其他密钥和/或项目,请按照“设置和发现 API 密钥的使用情况”步骤中的说明,为这些变量设置新值。

  1. 运行以下脚本以创建提醒政策文件:
    cat <<EOF > alert_policy.json
    {
      "displayName": "Credential API Request Count Increase Alert (Project: ${PROJECT_ID})",
      "combiner": "OR",
      "conditions": [
        {
          "displayName": "API Request Count Increase > 10% in 5m with Min Volume",
          "conditionPrometheusQueryLanguage": {
            "query": "(sum(increase(serviceruntime_googleapis_com:api_request_count{metric_label_credential_id=\\"apikey:${KEY_UID}\\"}[5m])) / (sum(increase(serviceruntime_googleapis_com:api_request_count{metric_label_credential_id=\\"apikey:${KEY_UID}\\"}[5m] offset 5m)) or on() vector(1)) > 1.10) and (sum(increase(serviceruntime_googleapis_com:api_request_count{metric_label_credential_id=\\"apikey:${KEY_UID}\\"}[5m])) > 50)",
            "duration": "0s",
            "evaluationInterval": "60s"
          }
        }
      ],
      "enabled": true
    }
    EOF
    
    提醒政策使用以下 PromQL 过滤条件来触发提醒:
     (sum(
       increase(
         serviceruntime_googleapis_com:api_request_count{metric_label_credential_id="API_KEY_UID"}[5m])
     ) /
     (sum(
       increase(
         serviceruntime_googleapis_com:api_request_count{metric_label_credential_id="API_KEY_UID"}[5m] offset 5m)
     ) or on() vector(1)) > 1.10)
    and
     (sum(
       increase(
         serviceruntime_googleapis_com:api_request_count{metric_label_credential_id=\"YOUR_CREDENTIAL_ID_HERE\"}[5m])) > 50)
    
    它会计算增长率,并将其与之前的窗口进行比较。只有在实际支出比目标支出高出 10% 以上时,才会触发提醒。为避免在调用总数可忽略不计时触发提醒,该提醒设置了触发条件,即窗口中的 API 调用次数超过 50 次。为了避免在 5 分钟的速率为 0 时出现 NaN(除以零)计算,如果前一个时间段的速率为零,则用 1 替换分母。您可以更改提醒参数,例如时间段长度 (5m)、最小阈值 (50) 或 10% 增幅阈值 (1.10)。其他政策参数定义了达到条件后应触发提醒 (duration),以及应每 60 秒探测一次条件 (evaluationInterval)。
  2. 运行以下命令,创建一个将用于发布提醒通知的 PubSub 主题:
    gcloud pubsub topics create api-key-alert-notifications --project=$PROJECT_ID
    
  3. 运行以下命令,为使用 PubSub 的提醒创建通知渠道。
    CHANNEL_NAME=$(gcloud beta monitoring channels create \
      --display-name="Pub/Sub Alert Channel" \
      --type="pubsub" \
      --channel-labels="topic=projects/$PROJECT_ID/topics/api-key-alert-notifications" \
      --format='value(name)' \
      --project=$PROJECT_ID)
    
    您将在“清理”步骤中使用 CHANNEL_NAME 环境变量。
  4. 运行以下命令以创建新的监控提醒:
    gcloud monitoring policies create --policy-from-file=alert_policy.json \
      --project=$PROJECT_ID
    
  5. 运行以下命令,以授予 Cloud Build 服务删除项目中的 API 密钥的权限。
    PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")
    gcloud projects add-iam-policy-binding $PROJECT_ID \
      --member="serviceAccount:${PROJECT_NUMBER}@cloudbuild.gserviceaccount.com" \
      --role="roles/apikeys.admin"
    
    可以限制 apikeys.admin 角色仅能操作 API 密钥的特定实例。如需了解详情,请参阅 IAM 条件
  6. 运行以下脚本以创建用于删除 API 密钥的 Cloud Build 构建触发器。
    cat <<EOF > trigger_config.yaml
    name: "delete-compromised-api-key"
    description: "Triggered by Pub/Sub alert to automatically delete the leaking API Key"
    pubsubConfig:
      topic: "projects/${PROJECT_ID}/topics/api-key-alert-notifications"
    build:
      steps:
      - name: "gcr.io/google.com/cloudsdktool/cloud-sdk:slim"
        args:
        - "gcloud"
        - "services"
        - "api-keys"
        - "delete"
        - "${KEY_UID}"
        - "--quiet"
    EOF
    
  7. 运行以下命令以创建新的监控提醒触发器:
    gcloud builds triggers create pubsub \
      --trigger-config=trigger_config.yaml \
      --project=$PROJECT_ID
    

您现在可以删除提醒政策和 Cloud Build 构建触发器配置文件:

rm alert_policy.json trigger_config.yaml

或者,您也可以使用 Terraform 方案设置此自动化。从 Google Cloud DevRel 代码库中的 abnormal-usage-detection 文件夹下载 Terraform 文件。该方案接受项目 ID 和 API 密钥 UID 作为输入参数,并设置您在此步骤中看到的资源和配置。

7. 清理

为避免您的 Google Cloud 账号产生意外费用,请务必删除本练习期间创建的 Pub/Sub 主题、Cloud Build 构建触发器和提醒政策。

运行以下命令以删除您创建的所有资源:

gcloud builds triggers delete delete-compromised-api-key \
  --project=$PROJECT_ID
gcloud beta monitoring channels delete $CHANNEL_NAME \
  --project=$PROJECT_ID \
  --quiet
gcloud pubsub topics delete api-key-alert-notifications \
  --project=$PROJECT_ID
gcloud projects remove-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:${PROJECT_NUMBER}@cloudbuild.gserviceaccount.com" \
  --role="roles/apikeys.admin"

8. 总结

在此 Codelab 中,您为 Google Cloud API 密钥实现了一个强大的端到端安全和自动化框架:

  1. 强化默认配置:您创建并限制了 API 密钥,以将访问权限仅限于必要的 API 和受信任的平台(例如特定的 HTTP 引荐来源网址)。
  2. 审核了密钥清单:您扫描了项目环境,以检测并隔离存在直接安全风险的不受限密钥。
  3. 分析后的使用情况数据:您以编程方式查询 Cloud Monitoring 指标数据,以分析历史密钥使用情况,从而能够根据经过验证的使用情况足迹来限制密钥。
  4. 自动威胁缓解:您通过将 Cloud Monitoring 提醒政策与 Pub/Sub 主题和 Cloud Build 触发器相关联,建立了一个被动“断路器”,从而可以在异常流量高峰期间自动删除遭入侵的密钥。

后续步骤

  • 对所有 API 密钥施加限制:使用您在本实验中学到的知识来检测所有部分受限或不受限的 API 密钥,并应用 API 和客户端限制,
  • 为 API 密钥设置“断路器”:通过设置在用量突然增加时自动删除密钥,进一步保护您的 API 密钥免遭意外使用。使用实验中所示的 gcloud 命令或 Terraform。考虑利用 IAM 条件来收紧权限
  • 探索监控提醒:详细了解如何使用 Google Cloud Monitoring 服务设置提醒。
  • 详细了解 Google Cloud 提供的访问权限控制功能:查看访问权限边界政策访问权限变更传播

如未另行说明,那么本页面中的内容已根据知识共享署名 4.0 许可获得了许可,并且代码示例已根据 Apache 2.0 许可获得了许可。有关详情,请参阅 Google 开发者网站政策。Java 是 Oracle 和/或其关联公司的注册商标。

[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["没有我需要的信息","missingTheInformationINeed","thumb-down"],["太复杂/步骤太多","tooComplicatedTooManySteps","thumb-down"],["内容需要更新","outOfDate","thumb-down"],["翻译问题","translationIssue","thumb-down"],["示例/代码问题","samplesCodeIssue","thumb-down"],["其他","otherDown","thumb-down"]],[],[],[]]