Google API Key
ID |
google_api_key |
Severity |
low |
Vendor |
|
Family |
API Token |
Description
A Google API key is used to authenticate client software to the Google APIs (like Google Maps). An API key is a simple encrypted string that identifies an application without any principal. They are useful for accessing public data anonymously, and are used to associate API requests with customer project for quota and billing.
Security
API keys do not give access to private or sensitive data; but exposing keys may result in unauthorized usage and quota theft.
Probably this is the reason why API keys are often hardcoded in source code (as a GitHub code search like this confirms).
Google API keys should be handled mostly as any other secret. Google provides some recommendations in "Securing an API key". In essence, do not hardcode keys nor write them in a file under your source tree, use a secrets vault if possible, delete unused API keys to minimize the attack surface area, and limit the scope and source of requests using the API key.
Mitigation / Fix
-
Remove the Google API key from the source code or committed configuration file.
-
Follow your policy for handling leaked secrets, which typically require regenerating the API keys (old keys will continue to work for 24 hours to help with key renewal in your software).
-
Check access logs to ensure that the API key was not abused during the compromised period. Using the Google Cloud console, API key usage in the past month can be monitored.
-
API keys are unlimited by default, but they should be limited in scope and possibly setting restrictions on the HTTP requests accepted.