HackerTrans
TopNewTrendsCommentsPastAskShowJobs

daudmalik06

no profile record

Submissions

[untitled]

1 points·by daudmalik06·2 maanden geleden·0 comments

Ask HN: Is there any founder building non AI startup in 2026?

13 points·by daudmalik06·3 maanden geleden·9 comments

[untitled]

1 points·by daudmalik06·3 maanden geleden·0 comments

[untitled]

1 points·by daudmalik06·3 maanden geleden·0 comments

Tell HN: A company was billed $128K from one leaked GCP API key

8 points·by daudmalik06·4 maanden geleden·3 comments

$82K GCP bill in 48 hours – so I built an automatic API key kill switch

cloudsentinel.dev
1 points·by daudmalik06·4 maanden geleden·1 comments

comments

daudmalik06
·3 maanden geleden·discuss
does it support php codebase ? specifically laravel ?
daudmalik06
·3 maanden geleden·discuss
interesting, a question will it download the code ? how does it work technically ?
daudmalik06
·4 maanden geleden·discuss
[dead]
daudmalik06
·4 maanden geleden·discuss
The approaches make sense for teams with engineering resources to build internal tooling. The LLM gateway layer is smart — virtual keys with caps is exactly the right mental model. The hard part is most solo devs and small teams never get around to building that layer, which is where the incidents happen. We built CloudSentinel specifically for that gap — automatic revocation on raw request count, no internal tooling required. Happy to share more if useful.
daudmalik06
·4 maanden geleden·discuss
Original incident: https://www.reddit.com/r/googlecloud/s/3S1KWpWRZm

After reading about a 3-person startup that received an $82,000 Gemini API bill in 48 hours (normal monthly spend: $180), I started building CloudSentinel.

The core problem: GCP has no native kill switch. Budget alerts send an email. Quota limits throttle requests. Neither revokes a key automatically. And billing data is delayed by hours — useless for real-time protection.

The architecture:

CloudSentinel monitors raw API request count — updated in near real-time. We create an Alerting Policy inside the user's own GCP project using MQL. When the request threshold is crossed, Google fires a Pub/Sub webhook to CloudSentinel. We receive it and revoke that exact key automatically.

The security decision I'm most proud of:

Revoke-Only IAM model. The Custom IAM Role has three responsibilities: - Read API key IDs and metadata (never key values) - Create monitoring rules inside the user's project - Revoke a specific key when a threshold is crossed

The permission apikeys.create is not in the role. Not restricted — absent. Even if CloudSentinel is fully compromised, an attacker can only remove access, never create keys or touch anything else.

Early access open at https://cloudsentinel.dev

Have you ever dealt with a GCP billing surprise or a leaked key? Happy to hear your experience and discuss the architecture.