At least read the article in full before commenting. You don't need to deploy LLM generated code at all for the privilege escalation. The Gemini API merely needs to be enabled and there are no access restrictions by default.

Google guidelines say "API keys" (a huge misnomer for something that is more accurately described as a project ID) are not secrets. The idea of creating an internal project goes against what the guidelines suggest. The "API keys" are customer facing identifiers.