在谷歌云项目中启用所有 API

Question

Google Cloud needs enabled API before many things are possible to be done.

Enabling needs just one CLI command, and usually is very fast. Enabling is even proposed by CLI if I try to do something which requires not-enabled API. But it anyway interrupts development.

My question is why they are not enabled by default? And is it ok if I enable them all just after creating new project to don't bother about enabling them later?

I would like to understand purpose of such design and learn best practices.

Answer 1

Well, they're disabled mainly in order not to incurr costs that you weren't intending on inducing, for you to be aware which service you're using at which point and to track the usage/costs for each of them.

Also, some services like Pub/Sub are dependent on others, and others such as Container Registry (or Artifact Registry), require a Cloud Storage bucket for artifacts to be stored, and it will create a one automatically if you're pushing a Docker image or using Cloud Build. So these are things for you to be aware of.

Enabling an API takes a bit of time depending on the service, yes, but it's a one-time action per project. I'm not sure what exactly your concerns on the waiting time are, but if you want to run commands while having executed a gcloud command to enable some APIs you can use the --async flag which will run the commands in the background without needing you to wait for it to complete before running another one.

Lastly, sure, you can just enable them all if you know what you're doing but at your own risk - it's a safer route to enable just the ones you need and as you might already be aware, you can enable multiple in a single gcloud command. In the example of Container Registry, it uses Cloud Storage, for which you will still be billed on.

Answer 2

Enabling services enables access to (often billed) resources.

It's considered good practice to keep this "surface" of resources constrained to those that you(r customers) need; the more services you enable, the greater your potential attack surface and potential bills.

Google provides an increasing number of services (accessible through APIs ). It is highly unlikely that you would ever want to access them all.

APIs are enabled by Project. The Project creation phase (including enabling services) is generally only a very small slice of the entire lifetime of a Project; even of those Projects created-and-torn-down on demand.

It's possible to enable the APIs asynchronously, permitting you to enable-not-block each service:

for SERVICE in "containerregistry" "container" "cloudbuild" ...
do
  gcloud services enable ${SERVICE}.googleapis.com --project=${PROJECT} --async
done

Following on from this, it is good practice to automate your organization's project provisioning (scripts, Terraform , Deployment Manager etc.). This provides a baseline template for how your projects are created, which services are enabled, default permissions etc. Then your developers simply fire-and-forget a provisioner (hopefully also checked-in to your source control), drink a coffee and wait these steps are done for them.