Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Delete Google Cloud API Keys

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)

Ensure that all your Google Cloud projects are using standard authentication flow instead of API keys for authentication. Google Cloud Platform (GCP) API keys are simple encrypted strings that can be used when calling certain APIs which don't need to access private user data. GCP API keys are usually accessible to clients, as they can be publicly viewed from within a browser, making it easy to discover and steal an API key.

Security

Because only a limited number of Google Cloud services allow access using just API keys, without requiring another type of credential, Google recommends using a standard authentication flow instead of API keys for most applications. Deleting GCP API keys should enforce the use of secure authentication methods only and minimize the exposure to attacks.

Note: There are limited use cases where API keys are preferred. For example, if there is a mobile application that needs to use the Google Cloud Translation API, but doesn't require a backend server, API keys are the simplest way to authenticate to that Google Cloud API. Therefore, make sure that your API keys are reviewed before removal as deleting API keys may break communication with the clients and/or applications that are using those keys.

Audit

To determine if your Google Cloud Platform (GCP) projects are using API keys, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to APIs & Services console at https://console.cloud.google.com/apis/credentials.

04 In the main navigation panel, select Credentials to access the list of the API keys created for the selected Google Cloud Platform (GCP) project.

05 On the Credentials page, check for any key entries available in the API Keys section. If one or more keys are listed within the API Keys section, the selected Google Cloud Platform (GCP) project is using API keys as credentials for authentication.

06 Repeat steps no. 2 – 5 for each GCP project deployed within your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the ID of each project available in your Google Cloud account: 

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project IDs: 

PROJECT_ID
  cc-project5-112233
  cc-web-prod-111222
  cc-internal-123123

03 Run services api-keys list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the identifier of each active API key created for the selected project: 

gcloud alpha services api-keys list
  --project=cc-project5-112233
  --format="table(uid)"

04 The command output should return the ID(s) of the active GCP API key(s): 

UID:
  abcd1234-abcd-1234-abcd-1234abcd1234
  1234abcd-1234-abcd-1234-abcd1234abcd

If the services api-keys list command output returns one or more API key IDs, as shown in the example above, the selected Google Cloud Platform (GCP) project is using API keys as credentials for authentication.

05 Repeat steps no. 3 and 4 for each project deployed within your Google Cloud account.

Remediation / Resolution

To delete any API keys associated with your Google Cloud Platform (GCP) projects, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to APIs & Services console at https://console.cloud.google.com/apis/credentials.

04 In the main navigation panel, select Credentials to access the list of the API keys created for the selected Google Cloud Platform (GCP) project.

05 On the Credentials page, in the API Keys section, select the API key that you want to delete, and choose DELETE button from the console top menu to remove the selected key from your GCP project. IMPORTANT: Deleting an API key will break dependent clients and/or applications. Ensure that your API key is reviewed before removal.

06 Inside the Delete credential confirmation box, choose DELETE to confirm the removal action. The selected API key will be deleted immediately and permanently.

07 Repeat steps no. 2 – 6 for each GCP project available in your Google Cloud account.

Using GCP CLI

01 Run services api-keys delete command (Windows/macOS/Linux) with the ID of the API key that you want to delete as the identifier parameter, to remove the specified key from your Google Cloud Platform (GPC) project. IMPORTANT: Deleting an API key will break dependent clients and/or applications. Ensure that your API key is reviewed before removal: 

gcloud alpha services api-keys delete abcd1234-abcd-1234-abcd-1234abcd1234

02 The output should return the metadata available for the deleted API key: 

Operation [operations/akmf.p12-123456789012-abcd1234-abcd-1234-abcd-1234abcd1234] complete. Result: {
  "@type":"type.googleapis.com/google.api.apikeys.v2.Key",
  "createTime":"2020-10-25T09:01:20.329336Z",
  "deleteTime":"2021-10-28T10:10:07.909888Z",
  "displayName":"cc-project5-api-key",
  "etag":"abcdabcdabcdabcdabcdab==",
  "keyString":"12341234abcdabcd12341234abcdabcd1234123",
  "name":"projects/683977297284/locations/global/keys/abcd1234-abcd-1234-abcd-1234abcd1234",
  "uid":"abcd1234-abcd-1234-abcd-1234abcd1234",
  "updateTime":"2021-10-28T10:10:07.937315Z"
}

03 Repeat steps no. 1 and 2 for each API key that you want to delete, created for your GCP project.

04 Repeat steps no. 1 – 3 for each GCP project available within your Google Cloud account.

References

Publication date Oct 28, 2021

Related CloudIAM rules