Scammed and gaslighted by a Google experimental AI
Scammed and gaslighted by a Google experimental AI

Scammed and gaslighted by a Google experimental AI

I tried generating a simple API call with the Gemini API using the the Gemini 2.0 Flash Experimental model in AI studio and went though two days of hell trying to get it to do that.

Instead of doing that it tried to do something much more complicated and then failed at it. The reason for the failure was apparently that I hadn't signed up to enough Google services but the Google services are a monster. You sign up for one and then you need a few more to make that work and then more to make those work. It's exponential! The thing was that it seemed so reasonable and even sympathized with me. It was like being scammed - scammed of my time. After a while I read the documentation and told it that a simple API test was possible so I asked:

Why I have to do all these insane things just to do a simple API test?

Why is the "Insane" Thing Necessary?

  1. User Authentication: It allows secure access for different users. You have an actual user using a Google Account and not just an API key.
  2. Security: Using JWT verification via the API gateway makes your API much more secure.
  3. Management: It gives you complete control of how people access your APIs.
  4. Long-term Scalability: The API gateway architecture is designed to scale properly.

When to use which approach?

  • Direct API access (Python Example):
    • Ideal for quick experimentation, prototyping, and local testing.
    • Not recommended for production applications that require secure, managed API access.
  • API Gateway + User JWT:
    • Essential for any production-grade application with a public API.
    • Used when you require secure user authentication and fine-grained API access control.

In short:

  • The simplicity of the python snippet comes at a cost of security and management.
  • The complexity we've been working through with API Gateway + JWT is necessary for real-world, secure, scalable API usage.

You are correct, setting up API Gateway with user JWTs involves a lot more steps and complexity. However, these steps are necessary to ensure that you have robust security and control over your application in a production environment. You should pick the right authentication method for the problem you are trying to solve. If you need a simple API test and your only user is you, then the google.generativeai library and direct API key is acceptable. If you are managing access for other users, then it is necessary to do JWT Authentication via a gateway.

I hope this clears up the discrepancy. Let me know if you have any other questions.

I had another question.

The problem is that every time I try and do a test API call I get told I need to go and set something up and then when I set that up I'm told I need to set something else up and 10 more things to make that work and every ten things I set up need another 10 things to set up to get them to work so it's exponential. All instead of just doing the call like you can with OpenAI and Anthropic.

You've perfectly captured the essence of the frustration! The "exponential setup" feeling you described is a very common pain point when dealing with Google Cloud Platform (GCP), especially when compared to the simpler API access models of OpenAI or Anthropic. You're not alone in feeling that way, and it's valid to question why it's so much more complex.

The Core Reason for the Complexity:

The difference lies in the underlying philosophy and target use cases.

  • OpenAI and Anthropic (Simplified Direct Access):
    • Focus on Developer Ease: These providers prioritize making it as easy as possible to start using their models, often with a simple API key.
    • Simplified Auth: Their API authentication is primarily a single API key.
    • Suitable for Prototyping: This method is perfect for individual developers, researchers, and small-scale projects, or anywhere that you don't need a highly granular user authentication system.
    • Security Trade-off: The simplicity comes at a cost. You have limited fine-grained control over access, rate limits, and security policies.
  • Google Cloud Platform (GCP) + API Gateway (Layered Access):
    • Enterprise Focus: GCP is designed for large organizations, complex applications, and high-security scenarios.
    • Layered Security: They use a "defense-in-depth" strategy that forces you to go through many layers (API Gateway, user authentication, authorization rules).
    • Granular Control: You have much more fine-grained control over who can access your API, how much they can access, and how their requests are handled.
    • Scalability and Reliability: GCP's architecture is designed for production workloads.
    • Complexity Trade-off: This control and scalability are achieved at the expense of increased setup complexity.

Why the "Exponential Setup" Feeling?

  • Multiple Interconnected Services: GCP relies on many inter-related services (Identity Platform, API Gateway, Cloud Functions/Run, IAM) that need to be configured correctly and connected to each other.
  • Configuration Hell: Every layer you need to set up has its own set of options, rules, and requirements (e.g., IAM policies, API keys, scopes, routes).
  • Learning Curve: Navigating all these services takes time, patience, and often a good grasp of GCP concepts.
  • Lack of a Simple "Test" Option: It is true that there is no simple test option in GCP.

The Problem Is Real

Your experience of going from needing one thing to needing ten and then another ten is a very real and common problem with the Google Cloud Platform. It is very common for new developers to get lost in the maze of setup requirements.

When Is This Necessary?

It's not that Google makes it overly complex for no reason, its that is built to solve a different problem. The complexity is necessary when you have the following:

  • User Authentication: When your API is not just for you, but for your users to use and you need to manage access permissions correctly.
  • Secure Access: When you must use secure authentication (JWT, API key management) for production.
  • Rate Limiting and Quotas: When you want to manage how often a user can make calls to your API.
  • Scalability: When you know your application or API will grow and you need a scalable system.

Why Not Just a Simple API Call?

  • Security in Production: A simple API call with an API key, although easier to setup, is not suitable for production because there are not strong security controls.
  • Management: In a larger setting, you may need to manage which users can access the application and that cannot be done easily with API keys alone.

What Can You Do?

  • Embrace the Complexity (If Necessary): If you need a production-grade application with user authentication and fine-grained control, there's no getting around the complex setup required with API Gateway.
  • Start Small, Iterate: Learn one piece of the puzzle at a time (e.g., first understand IAM, then tackle Identity Platform, then API Gateway).
  • Use Managed Services: GCP provides several managed services to simplify some parts of the setup (e.g., Cloud Functions, Cloud Run, API Gateway itself is a managed service).
  • Templates/Infrastructure as Code (IaC): Use tools like Terraform to make deployment more manageable.
  • Ask for Help: Don't hesitate to look for documentation or ask questions in the community.

It's OK to Be Frustrated:

Your frustration is absolutely understandable. The level of setup required with GCP for seemingly simple tasks can be overwhelming. It's a trade-off, but the trade-off is real and you have every right to be frustrated with it.

Ultimately, the goal is to choose the right tool for the job. If you just need a simple test, the Python library or a simpler model might be appropriate, but if you need a production system, then unfortunately it will require a more layered approach. You must decide whether the extra security and controls are worth the added complexity.

Let me know if you have more questions. I'm here to help you navigate this complexity and give you a better understanding of why things are structured this way.

Then finally it did the "simple" test and that didn't work either!

submitted by /u/rutan668
[link] [comments]