01 Run services api-keys update command (Windows/macOS/Linux) to update the configuration of the specified API key in order to enable host/application restrictions. Use the --allowed-ips parameter to specify the allowed IP addresses as server key restrictions for the selected API key. For example, the following command limits API key access to the trusted IPs (hosts) specified by the --allowed-ips parameter (e.g., 10.0.0.5 and 10.0.0.6):
gcloud alpha services api-keys update abcd1234-abcd-1234-abcd-1234abcd1234
--allowed-ips=10.0.0.5,10.0.0.6
02 The output should return the configuration information available for the updated API key:
Operation operations/akmf...abcd complete. Result: {
"@type":"type.googleapis.com/google.api.apikeys.v2.Key",
"createTime":"2023-06-18T10:27:46.153370Z",
"displayName":"cc-webapp-112233",
"etag":"abcdabcdabcdabcdabcdab==",
"name":"projects/123456789012/locations/global/keys/abcd1234-abcd-1234-abcd-1234abcd1234",
"restrictions":{
"serverKeyRestrictions":{
"allowedIps":[
"10.0.0.5",
"10.0.0.6"
]
}
},
"uid":"abcd1234-abcd-1234-abcd-1234abcd1234",
"updateTime":"2023-06-18T13:16:04.687488Z"
}
03 Run services api-keys update command (Windows/macOS/Linux) to update the configuration of the specified API key in order to enable application restrictions. Use the --allowed-referrers parameter to enable allowed referrers restriction for the selected key. For example, the following command allows API key access only to the trusted domains/subdomains specified by the --allowed-referrers parameter:
gcloud alpha services api-keys update abcd1234-abcd-1234-abcd-1234abcd1234
--allowed-referrers="https://www.domain.com/*,https://sub.domain.com/*"
04 The output should return the configuration information available for the updated API key:
Operation operations/akmf...abcd complete. Result: {
"@type":"type.googleapis.com/google.api.apikeys.v2.Key",
"createTime":"2023-06-18T10:27:46.153370Z",
"displayName":"cc-webapp-112233",
"etag":"abcdabcdabcdabcdabcdab==",
"name":"projects/123456789012/locations/global/keys/abcd1234-abcd-1234-abcd-1234abcd1234",
"restrictions":{
"browserKeyRestrictions":{
"allowedReferrers":[
"https://www.domain.com/*",
"https://sub.domain.com/*"
]
}
},
"uid":"abcd1234-abcd-1234-abcd-1234abcd1234",
"updateTime":"2023-06-18T13:16:04.687488Z"
}
05 Run services api-keys update command (Windows/macOS/Linux) to update the configuration of the specified API key in order to enable host/application restrictions. To update API key's allowed Android application, use the --allowed-application parameter. You can use this option only if you can provide a debug certificate fingerprint or a release certificate fingerprint for the sha1_fingerprint parameter value. Replace \<your-certificate-fingerprint\> and \<your-package-name\> with your own data:
gcloud alpha services api-keys update abcd1234-abcd-1234-abcd-1234abcd1234
--allowed-application=sha1_fingerprint=<your-certificate-fingerprint>,package_name=<your-package-name>
06 The output should return the configuration information available for the updated API key:
Operation operations/akmf...abcd complete. Result: {
"@type":"type.googleapis.com/google.api.apikeys.v2.Key",
"createTime":"2023-06-18T10:27:46.153370Z",
"displayName":"cc-webapp-112233",
"etag":"abcdabcdabcdabcdabcdab==",
"name":"projects/123456789012/locations/global/keys/abcd1234-abcd-1234-abcd-1234abcd1234",
"restrictions":{
"androidKeyRestrictions": {
"allowedApplications": [
{
"sha1Fingerprint": "<your-certificate-fingerprint>",
"packageName": "<your-package-name>"
}
]
},
"uid":"abcd1234-abcd-1234-abcd-1234abcd1234",
"updateTime":"2023-06-18T13:16:04.687488Z"
}
07 Run services api-keys update command (Windows/macOS/Linux) to update the configuration of the specified API key in order to enable application restrictions. To update API key's allowed iOS app bundle id(s) use the --allowed-bundle-ids command parameter. Replace \ with your own data:
gcloud alpha services api-keys update abcd1234-abcd-1234-abcd-1234abcd1234
--allowed-bundle-ids=<your-bundle-id>
08 The output should return the configuration information available for the updated API key:
Operation operations/akmf...abcd complete. Result: {
"@type":"type.googleapis.com/google.api.apikeys.v2.Key",
"createTime":"2023-06-18T10:27:46.153370Z",
"displayName":"cc-webapp-112233",
"etag":"abcdabcdabcdabcdabcdab==",
"name":"projects/123456789012/locations/global/keys/abcd1234-abcd-1234-abcd-1234abcd1234",
"restrictions" : {
"iosKeyRestrictions": {
"allowedBundleIds": ["<your-bundle-id>"]
}
},
"uid":"abcd1234-abcd-1234-abcd-1234abcd1234",
"updateTime":"2023-06-18T13:16:04.687488Z"
}
09 (Optional) You can also remove the non-compliant key entirely. Run **services api-keys delete** command (Windows/macOS/Linux) to remove the specified API key from your GCP project:
gcloud alpha services api-keys delete abcd1234-abcd-1234-abcd-1234abcd1234
10 The command output should return information about the deleted resource:
Operation operations/akmf...abcd complete. Result: {
"@type":"type.googleapis.com/google.api.apikeys.v2.Key",
"createTime":"2023-06-19T13:12:06.025308Z",
"deleteTime":"2023-06-19T13:05:28.205577Z",
"displayName":"API key 1",
"etag":"abcdabcdabcdabcdabcdab==",
"name":"projects/683977297284/locations/global/keys/abcd1234-abcd-1234-abcd-1234abcd1234",
"restrictions":{
"serverKeyRestrictions":{
"allowedIps":[
"0.0.0.0/0"
]
}
},
"uid":"abcd1234-abcd-1234-abcd-1234abcd1234",
"updateTime":"2023-06-19T14:05:28.237699Z"
}
11 Repeat steps no. 1 - 10 to enable and configure host/application restrictions for each API key generated for the selected GCP project.
12 Repeat steps no. 1 – 11 for each project deployed in your Google Cloud Platform (GCP) account.