You might see usage in your GCP console that seems like "ghost" or "phantom" usage, that you have no idea where it is coming from or how it could be generated based on your actual resources.
Usually this usage is actually coming from GCP itself; for example, if you are using the web console features a lot, it is making API calls to your GCP account to do things like list the resources you are using. And in general, GCP needs to make various "admin" API calls to keep tabs on everything.
For example, I started seeing a bunch of
compute.v1.InstancesService.List calls as I started to use my dashboard more.
Relevant S/O: here
How do you scope permissions for it? Auth?
- You can use security roles to setup roles for access within a collection
Connection is established with an API key
- If you use Firestore via a front-end API (e.g. in the browser itself, with JS), then that API key is exposed by default to all users
- If you only use the API via a backend (Node, C#, etc), then you could wrap your calls to Firestore with your own auth checks to scope access