llm-shield-cloud-gcp 0.1.1

GCP cloud integrations for LLM Shield - Secret Manager, Cloud Storage, Cloud Monitoring
Documentation

llm-shield-cloud-gcp

GCP cloud integrations for LLM Shield - Secret Manager, Cloud Storage, Cloud Monitoring, and Cloud Logging.

Overview

Production-ready GCP implementations of cloud abstraction traits:

  • GCP Secret Manager - Secure secret storage with automatic caching
  • GCP Cloud Storage - Object storage for models and results
  • GCP Cloud Monitoring - Application metrics and monitoring
  • GCP Cloud Logging - Structured logging and log aggregation

Installation

[dependencies]
llm-shield-cloud-gcp = "0.1"
llm-shield-cloud = "0.1"
tokio = { version = "1.35", features = ["full"] }

Quick Start

Secret Manager

use llm_shield_cloud_gcp::GcpSecretManager;
use llm_shield_cloud::CloudSecretManager;

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let secrets = GcpSecretManager::new("my-project-id").await?;
    let api_key = secrets.get_secret("openai-api-key").await?;
    println!("API Key: {}", api_key.as_string());
    Ok(())
}

Cloud Storage

use llm_shield_cloud_gcp::GcpCloudStorage;
use llm_shield_cloud::CloudStorage;

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let storage = GcpCloudStorage::new("llm-shield-models").await?;

    let data = b"Hello, GCS!";
    storage.put_object("test.txt", data).await?;

    let retrieved = storage.get_object("test.txt").await?;
    assert_eq!(data, retrieved.as_slice());

    Ok(())
}

Cloud Monitoring

use llm_shield_cloud_gcp::GcpCloudMonitoring;
use llm_shield_cloud::{CloudMetrics, Metric};
use std::collections::HashMap;

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let metrics = GcpCloudMonitoring::new("my-project-id").await?;

    let metric = Metric {
        name: "scan_duration".to_string(),
        value: 123.45,
        timestamp: std::time::SystemTime::now()
            .duration_since(std::time::UNIX_EPOCH)?
            .as_secs(),
        dimensions: HashMap::new(),
        unit: Some("ms".to_string()),
    };

    metrics.export_metric(&metric).await?;
    Ok(())
}

Cloud Logging

use llm_shield_cloud_gcp::GcpCloudLogging;
use llm_shield_cloud::{CloudLogger, LogLevel};

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let logger = GcpCloudLogging::new("my-project-id", "llm-shield-api").await?;
    logger.log("API server started", LogLevel::Info).await?;
    Ok(())
}

Configuration

cloud:
  provider: gcp
  gcp:
    project_id: my-project-id
    secret_manager:
      enabled: true
      cache_ttl_seconds: 300
    storage:
      bucket: llm-shield-models
      models_prefix: models/
    monitoring:
      enabled: true
    logging:
      enabled: true
      log_name: llm-shield-api

GCP Credentials

Uses Application Default Credentials (ADC):

  1. GOOGLE_APPLICATION_CREDENTIALS environment variable
  2. gcloud auth application-default login credentials
  3. Service account on GCE/GKE
  4. Workload Identity for GKE pods

Development Setup

# Install gcloud CLI
curl https://sdk.cloud.google.com | bash

# Authenticate
gcloud auth application-default login

# Set project
gcloud config set project my-project-id

Production (Service Account)

# Create service account
gcloud iam service-accounts create llm-shield-sa \
  --display-name="LLM Shield Service Account"

# Grant permissions (use custom role)
gcloud projects add-iam-policy-binding my-project-id \
  --member="serviceAccount:llm-shield-sa@my-project-id.iam.gserviceaccount.com" \
  --role="projects/my-project-id/roles/LLMShieldFullAccess"

# Create key
gcloud iam service-accounts keys create key.json \
  --iam-account=llm-shield-sa@my-project-id.iam.gserviceaccount.com

# Set environment variable
export GOOGLE_APPLICATION_CREDENTIALS=/path/to/key.json

GKE Workload Identity

# Enable Workload Identity on cluster
gcloud container clusters update my-cluster \
  --workload-pool=my-project-id.svc.id.goog

# Create Kubernetes service account
kubectl create serviceaccount llm-shield-ksa

# Bind to GCP service account
gcloud iam service-accounts add-iam-policy-binding \
  llm-shield-sa@my-project-id.iam.gserviceaccount.com \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:my-project-id.svc.id.goog[default/llm-shield-ksa]"

# Annotate Kubernetes service account
kubectl annotate serviceaccount llm-shield-ksa \
  iam.gke.io/gcp-service-account=llm-shield-sa@my-project-id.iam.gserviceaccount.com

Use in pod:

apiVersion: v1
kind: Pod
metadata:
  name: llm-shield-api
spec:
  serviceAccountName: llm-shield-ksa
  containers:
    - name: api
      image: llm-shield:latest

IAM Permissions

See iam-roles/ for custom role definitions:

  • secret-manager-role.yaml - Secret Manager permissions
  • storage-role.yaml - Cloud Storage permissions
  • monitoring-role.yaml - Monitoring and Logging permissions
  • llm-shield-full-role.yaml - All permissions (dev/test)

Creating Custom Roles

# Create custom role
gcloud iam roles create LLMShieldFullAccess \
  --project=my-project-id \
  --file=iam-roles/llm-shield-full-role.yaml

# Assign to service account
gcloud projects add-iam-policy-binding my-project-id \
  --member="serviceAccount:llm-shield-sa@my-project-id.iam.gserviceaccount.com" \
  --role="projects/my-project-id/roles/LLMShieldFullAccess"

Testing

Unit Tests

cargo test -p llm-shield-cloud-gcp

Integration Tests

export TEST_GCP_PROJECT=my-project-id
export TEST_GCS_BUCKET=llm-shield-test-bucket

cargo test -p llm-shield-cloud-gcp --test integration -- --ignored

Performance

Operation Throughput Latency (p50)
Secret fetch (cached) 100,000/s <1ms
Secret fetch (uncached) 1,000/s ~50ms
GCS upload (1MB) 50 MB/s ~20ms
GCS upload (50MB resumable) 80 MB/s ~625ms
Metrics export (batch) 1,000/s ~10ms
Logs export (batch) 10,000/s ~5ms

Cost Estimates

Monthly costs (production):

Service Usage Cost
Secret Manager 10 secrets, 100K ops ~$3
Cloud Storage 100 GB, 1M ops ~$3
Cloud Logging 50 GB ingested ~$25
Cloud Monitoring 50 metrics ~$8
Total ~$39/month

Security Best Practices

  1. Use Workload Identity for GKE (no service account keys)
  2. Apply least-privilege IAM roles
  3. Enable audit logging for all services
  4. Rotate service account keys regularly
  5. Use customer-managed encryption keys (CMEK)
  6. Set bucket lifecycle policies
  7. Enable VPC Service Controls

Troubleshooting

Authentication Errors

# Check current authentication
gcloud auth list

# Check ADC
gcloud auth application-default print-access-token

# Verify project
gcloud config get-value project

Permission Errors

# List IAM policy for service account
gcloud projects get-iam-policy my-project-id \
  --flatten="bindings[].members" \
  --filter="bindings.members:serviceAccount:llm-shield-sa@my-project-id.iam.gserviceaccount.com"

# Test Secret Manager access
gcloud secrets versions access latest --secret="test-secret"

# Test Cloud Storage access
gsutil ls gs://llm-shield-models/

License

MIT OR Apache-2.0

Related Crates