A developer shared their story on Reddit in 2023: $82,000 on their Google Cloud bill in 48 hours. Their Maps API key, exposed in front-end code, was scraped by a bot and used at scale. The worst part? Google had sent email alerts — but never cut anything off. Because Google Cloud, contrary to what many devs believe, has no native hard spending limit. Here’s how to build one yourself.
The Core Problem: Google Cloud Bills Infinitely by Default
Contrary to a common misconception, setting a “budget” on Google Cloud does not protect your resources. A budget alert sends emails when you hit 50%, 80%, 90%, or 100% of your threshold. But it cuts absolutely nothing. You can exceed your budget by 10x and Google will keep billing you.
The good news: there are several mechanisms you can combine to create multi-layer protection. Here’s how to effectively set a hard spending limit on Google Cloud.
Mechanism 1 — Budget Alerts (The Baseline, But Not Enough Alone)
Start with budget alerts. They’re minimal but mandatory. In Google Cloud Console → Billing → Budgets & Alerts → Create Budget:
- Scope: limit to your project (not the entire billing account)
- Budget type: “Specified amount” with your monthly threshold
- Alert thresholds: set at 50%, 80%, 100%, and 500% (yes, just in case)
- Notifications: email AND Pub/Sub topic (for the automatic kill switch)
# List available billing accounts
gcloud billing accounts list
# Check current budget for a project
gcloud billing budgets list \
--billing-account=BILLING_ACCOUNT_IDMechanism 2 — API Quotas: The Real Cost Limiter
Quotas are the most effective mechanism to limit API costs. Unlike budgets, they actually block calls when the threshold is hit. In APIs & Services → specific API → Quotas & System Limits:
- Requests per day: limit to your legitimate usage × 2
- Requests per 100 seconds: limit throughput to detect abuse
- Requests per 100 seconds per user: isolate abuse per user
# Check current quotas for an API
gcloud services quota list \
--service=maps-backend.googleapis.com \
--project=YOUR_PROJECT_ID
# Override a quota
gcloud alpha services quota override \
--service=maps-backend.googleapis.com \
--metric=maps-backend.googleapis.com/map_load \
--value=10000 \
--project=YOUR_PROJECT_IDImportant note: some quotas require an explicit request to Google to lower them (counter-intuitive, but that’s their system). For quotas you can’t modify directly, contact support.
Mechanism 3 — API Key Restrictions
An unrestricted Google API key can call all your APIs from any IP or domain. This is a major risk. In APIs & Services → Credentials → Edit API Key, configure:
Application Restrictions
- HTTP referrers: for front-end keys (e.g.,
https://your-domain.com/*) - IP addresses: for server keys (e.g., your production IP)
- Android apps / iOS apps: for mobile apps
API Restrictions
Give each key access only to the APIs it needs. A Maps key shouldn’t be able to call the Compute Engine or Cloud Storage API.
Mechanism 4 — Billing Export to BigQuery
Billing Export to BigQuery lets you monitor costs in near real time and create custom alerts. In Billing → Billing Export → BigQuery Export → Edit Settings, enable “Standard usage cost” and “Detailed usage cost”.
-- Costs by service over the last 24 hours
SELECT
service.description,
SUM(cost) as total_cost,
SUM(usage.amount) as total_usage
FROM
`your-project.billing_dataset.gcp_billing_export_v1_XXXXXX`
WHERE
DATE(_PARTITIONTIME) = DATE_SUB(CURRENT_DATE(), INTERVAL 1 DAY)
GROUP BY
service.description
ORDER BY
total_cost DESC
LIMIT 20;Mechanism 5 — Automatic Kill Switch (The Real Hard Cap)
The most powerful mechanism: a Cloud Function that automatically disables your project’s billing when the budget is exceeded. We’ve written a complete tutorial with Python code to set it up: How to Build an Automatic Kill Switch for Google Cloud Billing.
Recommended Protection Stack
- Budget Alerts at 50%, 80%, 100%, 500% — for visibility
- Strict API Quotas per service — to block abuse at the API level
- Key Restrictions (IP/referrer + API scope) — to reduce attack surface
- Billing Export to BigQuery + dashboard — for real-time monitoring
- Automatic Kill Switch (Cloud Function + Pub/Sub) — for the real hard cap
None of these mechanisms alone is sufficient. It’s their combination that truly protects you. And even with all of this in place, a regular audit of your configuration remains essential — permissions evolve, keys propagate, configurations drift.
🔐 Not sure your API keys and cloud configuration are secure?
Klack offers a complete security audit: exposed key detection, billing limit setup, automatic alerts, and kill switch implementation. Response within 24-48 hours.
