catalog logoThe IAM Privilege Catalog

services / Google Cloud / Google API Keys

An API Key can be used to authenticate to supported Google REST APIs. Not all Google APIs support authentication via API key.

Because API keys do not provide a principal or check any additional authorization information, an individual that gains access to an API key will be able to use it to call supported Google APIs without detection.

apikeys.​keys.​create

There is a maximum of 300 API keys per project that cannot be increased. The key creation API response does not actually return the key.

Risks

  1. Spend (MEDIUM)
  2. Infrastructure consumption (LOW)

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​cloud.​google.​com/​docs/​authentication/​api-​keys
  • https:​/​/​cloud.​google.​com/​api-​keys/​docs/​reference/​rest/​v2/​keys
  • https:​/​/​cloud.​google.​com/​api-​keys/​docs/​overview

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog