- Knowledge Base
- Google Cloud Platform
- GCP API
- Check for API Key Application Restrictions
Ensure that the use of Google Cloud API keys is limited to trusted and reliable hosts, HTTP referrers, or applications. An API key application restriction manages the authorization of websites, IP addresses, or Android/iOS mobile applications that can employ your API key. It is crucial that all API keys used in production employ host and application restrictions. By enforcing these restrictions, you can reduce the impact that a compromised API key can have on your applications.
This rule resolution is part of the Conformity Security & Compliance tool for GCP.
Google Cloud API keys are simple encrypted strings that don't identify the user or the application that performs the API request. These keys are typically accessible to clients, as they can be viewed publicly from within a browser, making it easy to discover and steal API keys. Considering these potential risks, Google suggests using the standard authentication flow instead of API keys. Nonetheless, there are specific scenarios where API keys are more suitable. For instance, if there is a mobile application that solely requires access to the Google Cloud Translation API without the need for a backend server, API keys provide the most straightforward authentication method available. To follow cloud security best practices and reduce the attack surface, Google Cloud API keys should be restricted only to trusted and reliable hosts, HTTP referrers, and Android/iOS mobile applications.
Audit
To ensure that your API key usage is restricted to trusted hosts and applications only, perform the following operations:
Using GCP Console
01 Sign in to the Google Cloud Management Console.
02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.
03 Navigate to APIs & Services console available at https://console.cloud.google.com/apis.
04 In the main navigation panel, select Credentials to access the list of the API keys created for the selected GCP project.
05 Click on the name (link) of the API key that you want to examine to access the key properties.
06 On the selected API key page, check the application restriction option enabled in the Key restrictions section. Based on the selected restriction, determine if the selected API key usage is unrestricted:
- If the host/application restriction is set to None, there is no restriction control enabled to specify which websites, IP addresses, or mobile applications can use the key, therefore the selected API key usage is unrestricted.
- If the restriction is set to Websites, check the Website restrictions section for the list of websites that can use the selected API key. If the referrer is set to a wildcard, i.e.
*
or*.[TLD]
or*.[TLD]/*
, where [TLD] represents the top-level domain, there are no well-defined restrictions that specify which trusted websites can use your key, therefore the selected API key usage is unrestricted. Also, if the Website restrictions list is blank (no items), your API key will accept requests from any website, hence the API key usage is unrestricted. - If the host/application restriction is set to IP addresses, check the IP address restrictions section for the list of IPv4 or IPv6 addresses that can access the selected API key. If the referrer is set to any host, i.e. 0.0.0.0, 0.0.0.0/0 or ::0, there is no restriction control implemented to specify which host can use your key, therefore the selected API key usage is unrestricted.
07 Repeat steps no. 5 and 6 for each API key created for the selected Google Cloud Platform (GCP)project.
08 Repeat steps no. 2 – 7 for each GCP project deployed within your cloud account.
Using GCP CLI
01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the ID of each project available in your Google Cloud account:
gcloud projects list --format="table(projectId)"
02 The command output should return the requested GCP project IDs:
PROJECT_ID cc-webapp-112233 cc-project5-111222
03 Run services api-keys list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the identifier of each active API key generated for the selected project:
gcloud alpha services api-keys list --project=cc-webapp-112233 --format="table(uid)"
04 The command output should return the IDs of the active API keys:
UID: abcd1234-abcd-1234-abcd-1234abcd1234 1234abcd-1234-abcd-1234-abcd1234abcd
05 Run services api-keys describe command (Windows/macOS/Linux) using the ID of the API key that you want to examine as the identifier parameter and custom query filters to describe the API key host and application restrictions configured for the selected key:
gcloud alpha services api-keys describe abcd1234-abcd-1234-abcd-1234abcd1234 --format="json(restrictions)"
06 Based on the services api-keys describe command output, you can determine if the use of the selected API key is unrestricted:
- If the command output returns null, there is no restriction control enabled to specify which websites, IP addresses, or mobile applications can use the key, therefore the selected API key usage is unrestricted:
null
- If the command output returns one or more HTTP referrers for API key application restrictions, as shown in the example above, check the "allowedReferrers" array for the list of domains that can use the selected API key. If the referrer is set to a wildcard, i.e.
*
or*.[TLD]
or*.[TLD]/*
, where [TLD] represents the top-level domain, there are no well-defined restrictions that specify which trusted websites can use your key, therefore the selected API key usage is unrestricted:{ "restrictions": { "browserKeyRestrictions": { "allowedReferrers": [ "*.example.com" ] } } }
- If the services api-keys describe command output returns one or more IPv4/IPv6 addresses for API key application restrictions, as shown in the example above, check the "allowedIps" array for the list of hosts that can access the selected API key. If the "allowedIps" is set to any host, i.e. 0.0.0.0, 0.0.0.0/0 or ::0, there is no restriction control implemented to specify which host can use your key, therefore the selected API key usage is unrestricted:
{ "restrictions": { "serverKeyRestrictions": { "allowedIps": [ "0.0.0.0/0" ] } } }
07 Repeat steps no. 5 and 6 for each API key generated for the selected Google Cloud Platform (GCP) project.
08 Repeat steps no. 3 – 7 for each project deployed within your cloud account.
Remediation / Resolution
To enable and configure application restrictions for your Google Cloud API keys, perform the following operations:
Using GCP Console
01 Sign in to the Google Cloud Management Console.
02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.
03 Navigate to APIs & Services console available at https://console.cloud.google.com/apis.
04 In the main navigation panel, select Credentials to access the list of the API keys created for the selected GCP project.
05 Click on the name (link) of the API key that you want to reconfigure.
06 On the selected API key page, in the Key restrictions section, perform one of the following sets of commands, based on your application needs:
- Select Websites, choose ADD under Website restrictions, and type the trusted HTTP referrer that can use the selected API key in the Website text box. Choose DONE to apply the changes. An HTTP referrer can be a trusted domain ( e.g. example.com ), a specific URL with an exact path ( e.g. example.com/path ), any URL within a single subdomain ( e.g. subdomain.example.com/*), an URL with a non-standard port ( e.g. example.com:8000/* ), or any subdomain or path URL within a single domain that is using wildcards (e.g. *.example.com/* ). If your trusted domain supports both HTTP and HTTPS, both restrictions must be added separately. Do not set the following HTTP referrers (using wildcard):
*
or*.[TLD]
or*.[TLD]/*
, where [TLD] represents the top-level domain, as these referrers allow access to wide HTTP referrers. Use HTTP referrers for API clients that run on a web browser, so that only the specified URLs can call the API. - Select IP addresses, choose ADD under IP address restrictions, and specify one IPv4, IPv6, or a subnet using CIDR notation (e.g. 10.0.0.5/32) in the Address text box. Choose DONE to apply the changes. Don't use the following CIDRs for IPv4/IPv6 addresses: 0.0.0.0, 0.0.0.0/0 or ::0, as these referrers allow access to any hosts and translates to unrestricted access. Use specific IP addresses to limit API key access to trusted hosts only.
- Select Android apps, choose ADD under Android restrictions, and specify the app package name and the required SHA-1 signing-certificate fingerprint in the Add Android app section. Choose DONE to apply the changes. You can use this option only if you can provide a debug certificate fingerprint or a release certificate fingerprint in the SHA-1 certificate fingerprint box.
- Select iOS apps, choose ADD under iOS restrictions then type the required iOS bundle identifier (ID) in the Bundle ID box. Choose DONE to apply the configuration changes. This option requires adding at least one iOS bundle identifier (ID) in order to restrict API calls to specific iOS bundles.
07 Choose SAVE to save the changes.
08 (Optional) You can also choose to remove the non-compliant API key entirely. Select the API key that you want to remove and choose DELETE from the top menu. In the Delete credential confirmation box, choose DELETE to confirm the key removal. Once deleted, the key can no longer be used to make API requests. For 30 days after deletion, you can restore your API key from the deleted credentials page.
09 Repeat steps no. 5 – 8 to enable and configure host/application restrictions for each API key created for the selected GCP project.
10 Repeat steps no. 2 – 9 for each project available within your Google Cloud Platform (GCP) account.
Using GCP CLI
01 Run services api-keys update command (Windows/macOS/Linux) to update the configuration of the specified API key in order to enable host/application restrictions. Use the --allowed-ips parameter to specify the allowed IP addresses as server key restrictions for the selected API key. For example, the following command limits API key access to the trusted IPs (hosts) specified by the --allowed-ips parameter (e.g., 10.0.0.5 and 10.0.0.6):
gcloud alpha services api-keys update abcd1234-abcd-1234-abcd-1234abcd1234 --allowed-ips=10.0.0.5,10.0.0.6
02 The output should return the configuration information available for the updated API key:
Operation operations/akmf...abcd complete. Result: { "@type":"type.googleapis.com/google.api.apikeys.v2.Key", "createTime":"2023-06-18T10:27:46.153370Z", "displayName":"cc-webapp-112233", "etag":"abcdabcdabcdabcdabcdab==", "name":"projects/123456789012/locations/global/keys/abcd1234-abcd-1234-abcd-1234abcd1234", "restrictions":{ "serverKeyRestrictions":{ "allowedIps":[ "10.0.0.5", "10.0.0.6" ] } }, "uid":"abcd1234-abcd-1234-abcd-1234abcd1234", "updateTime":"2023-06-18T13:16:04.687488Z" }
03 Run services api-keys update command (Windows/macOS/Linux) to update the configuration of the specified API key in order to enable application restrictions. Use the --allowed-referrers parameter to enable allowed referrers restriction for the selected key. For example, the following command allows API key access only to the trusted domains/subdomains specified by the --allowed-referrers parameter:
gcloud alpha services api-keys update abcd1234-abcd-1234-abcd-1234abcd1234 --allowed-referrers="https://www.domain.com/*,https://sub.domain.com/*"
04 The output should return the configuration information available for the updated API key:
Operation operations/akmf...abcd complete. Result: { "@type":"type.googleapis.com/google.api.apikeys.v2.Key", "createTime":"2023-06-18T10:27:46.153370Z", "displayName":"cc-webapp-112233", "etag":"abcdabcdabcdabcdabcdab==", "name":"projects/123456789012/locations/global/keys/abcd1234-abcd-1234-abcd-1234abcd1234", "restrictions":{ "browserKeyRestrictions":{ "allowedReferrers":[ "https://www.domain.com/*", "https://sub.domain.com/*" ] } }, "uid":"abcd1234-abcd-1234-abcd-1234abcd1234", "updateTime":"2023-06-18T13:16:04.687488Z" }
05 Run services api-keys update command (Windows/macOS/Linux) to update the configuration of the specified API key in order to enable host/application restrictions. To update API key's allowed Android application, use the --allowed-application parameter. You can use this option only if you can provide a debug certificate fingerprint or a release certificate fingerprint for the sha1_fingerprint parameter value. Replace \<your-certificate-fingerprint\> and \<your-package-name\> with your own data:
gcloud alpha services api-keys update abcd1234-abcd-1234-abcd-1234abcd1234 --allowed-application=sha1_fingerprint=<your-certificate-fingerprint>,package_name=<your-package-name>
06 The output should return the configuration information available for the updated API key:
Operation operations/akmf...abcd complete. Result: { "@type":"type.googleapis.com/google.api.apikeys.v2.Key", "createTime":"2023-06-18T10:27:46.153370Z", "displayName":"cc-webapp-112233", "etag":"abcdabcdabcdabcdabcdab==", "name":"projects/123456789012/locations/global/keys/abcd1234-abcd-1234-abcd-1234abcd1234", "restrictions":{ "androidKeyRestrictions": { "allowedApplications": [ { "sha1Fingerprint": "<your-certificate-fingerprint>", "packageName": "<your-package-name>" } ] }, "uid":"abcd1234-abcd-1234-abcd-1234abcd1234", "updateTime":"2023-06-18T13:16:04.687488Z" }
07 Run services api-keys update command (Windows/macOS/Linux) to update the configuration of the specified API key in order to enable application restrictions. To update API key's allowed iOS app bundle id(s) use the --allowed-bundle-ids command parameter. Replace \
gcloud alpha services api-keys update abcd1234-abcd-1234-abcd-1234abcd1234
--allowed-bundle-ids=<your-bundle-id>
08 The output should return the configuration information available for the updated API key:
Operation operations/akmf...abcd complete. Result: { "@type":"type.googleapis.com/google.api.apikeys.v2.Key", "createTime":"2023-06-18T10:27:46.153370Z", "displayName":"cc-webapp-112233", "etag":"abcdabcdabcdabcdabcdab==", "name":"projects/123456789012/locations/global/keys/abcd1234-abcd-1234-abcd-1234abcd1234", "restrictions" : { "iosKeyRestrictions": { "allowedBundleIds": ["<your-bundle-id>"] } }, "uid":"abcd1234-abcd-1234-abcd-1234abcd1234", "updateTime":"2023-06-18T13:16:04.687488Z" }
09 (Optional) You can also remove the non-compliant key entirely. Run **services api-keys delete** command (Windows/macOS/Linux) to remove the specified API key from your GCP project:
gcloud alpha services api-keys delete abcd1234-abcd-1234-abcd-1234abcd1234
10 The command output should return information about the deleted resource:
Operation operations/akmf...abcd complete. Result: { "@type":"type.googleapis.com/google.api.apikeys.v2.Key", "createTime":"2023-06-19T13:12:06.025308Z", "deleteTime":"2023-06-19T13:05:28.205577Z", "displayName":"API key 1", "etag":"abcdabcdabcdabcdabcdab==", "name":"projects/683977297284/locations/global/keys/abcd1234-abcd-1234-abcd-1234abcd1234", "restrictions":{ "serverKeyRestrictions":{ "allowedIps":[ "0.0.0.0/0" ] } }, "uid":"abcd1234-abcd-1234-abcd-1234abcd1234", "updateTime":"2023-06-19T14:05:28.237699Z" }
11 Repeat steps no. 1 - 10 to enable and configure host/application restrictions for each API key generated for the selected GCP project.
12 Repeat steps no. 1 – 11 for each project deployed in your Google Cloud Platform (GCP) account.
References
- Google Cloud Platform (GCP) Documentation
- Authentication at Google
- Authenticate using API keys
- CIS Security Documentation
- Google Cloud Computing Platform
- GCP Command Line Interface (CLI) Documentation
- gcloud projects list
- gcloud alpha services api-keys list
- gcloud alpha services api-keys describe
- gcloud alpha services api-keys update
- gcloud alpha services api-keys delete