← Back to context

Comment by rezonant

4 days ago

Imagine enabling Maps, deploying it on your website, and then enabling Google Drive API and that key immediately providing the ability to store or read files. It didn't work like that for any other service, why should it work that way for Gemini.

Also, for APIs with quotas you have to be careful not to use multiple GCP projects for a single logical application, since those quotas are tracked per application, not per account. It is definitely not Google's intent that you should have one GCP project per service within a single logical application.

6 comments

rezonant

Reply
edoceo  3 days ago

Really? I make multiple GCP projects per app. One project for the (eg) Maps API, one for Drive, one for Mail, one for $THING. Internal corp-services might have one project with a few APIs enabled - but for the client-app that we sell, there are many projects with one or two APIs enabled only.

  • rezonant  3 days ago

    If you ever have to enable public OAuth on such a project, you'll need to provide a list of all the API projects in use with the application, and Google Trust and Safety will pressure you to merge them together into a single GCP project. I've been through it.

    You can do what you're describing but it's not the model Google is expecting you to use, and you shouldn't have to do that.

    It seems what happened here is that some extremely overzealous PM, probably fueled by Google's insane push to maximize Gemini's usage, decided that the Gemini API on GCP should be default enabled to make it easier for people to deploy, either being unaware or intentionally overlooking the obvious security implications of doing so. It's a huge mistake.

    • chrisjj  3 days ago

      > decided that the Gemini API on GCP should be default enabled to make it easier for people to deploy

      Like deciding ATM cabinets should be default open to make it easier for people to withdraw cash.

      No, there must be more behind this than overzealotry.

      1 reply →

  • busko  3 days ago

    Why would they encourage more resource use, increasing their cost?

    Gemini should have had it's own API key separate from their traditionally public facing API IDs (which they call keys) and API keys should default to being tightly scoped to their use case rather than being unrestricted.

    Who cares if you have three API keys for three services.

    Quite frankly putting any API information in things like url params or client side code just doesn't sit right with me. It breaks the norm in a way that could be, and is now security concern.

chrisjj  3 days ago

> It didn't work like that for any other service, why should it work that way for Gemini.

Artifical Intelligence service design and lack of human intelligence are highly correlated. Who'd have guessed??