cover

A Google Cloud ban incident

sorcererxw

The incident unfolded as follows.

Because I like to deploy projects by packaging them into Docker Images, the benefits are self-evident. The entire delivery process is as follows: local development, packaging into images, publishing to Docker Register, server pulling images, and replacing old containers with new images. Therefore, as the connection point between development and operations, Docker Register is very important. And the one I chose is Google Cloud's Google Container Register, namely gcr.io.

There are multiple authorization methods for GCR. When I develop locally, I prefer using the json_key method for authorization. No need to log in locally, just generate a dedicated authorization json file, and authenticate during each push.

But it was because of my preference for using this file that I got into trouble. I usually use the Gradle plugin to build & push the image, so I directly placed the authorization file in the project's root directory for the convenience of the plugin to access it through a relative path.

docker {
    ...
    registryCredentials {
        url = 'https://gcr.io'
        username = '_json_key'
        password = file(project.rootDir.path + '/gcr_keyfile.json').text
    }
    ...
}

Because I happened to be working on a school project, our group used GitHub for code collaboration. In order to make it convenient, I decided to make the project open source. However, I forgot to add the json_key to the .gitignore file, and the json_key was inadvertently published on GitHub. Unfortunately, I didn't pay attention to it at the time.

After an hour, I received several emails from Google, informing me that my corresponding Google Cloud project has been suspended and I need to file an appeal. I was really puzzled because I only used this Google Cloud project for image storage. I couldn't understand which part of the user agreement I violated. It was only after carefully reading through Google's emails that I realized, "Oh no, the json_key was exposed."

I hurriedly went to Github to delete the project, reconfigured git locally, reuploaded the code, and then appealed to Google.

Experience

I feel that Google Cloud is quite impressive. It is able to detect users' inappropriate behavior using web crawlers in such a short period of time, promptly suspend their projects, and notify the users, greatly ensuring the security of their data.

In addition, when managing authorization files, it is advisable to store all authorization files in a fixed location, similar to storing SSH keys in .ssh directory, and configure global variables so that development tools can directly access the authorization files through this variable, completely avoiding placing private keys in the project directory.