Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Rotate Google Cloud API Keys

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: CloudAPI-001

Ensure that all your Google Cloud API keys are regularly regenerated (rotated) in order to meet security and compliance requirements. By default, it is recommended to rotate keys every 90 days. Google Cloud Platform (GCP) API keys are simple, encrypted strings that can be used when calling specific APIs that don't need to access private user data. API keys are typically used to track API requests associated with your GCP project for quota and billing.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security

Once a Google Cloud API key is compromised, it can be used indefinitely unless the project owner revokes or regenerates that key. Rotating GCP API keys will substantially reduce the window of opportunity for exploits and ensure that data can't be accessed with an outdated key that might have been lost, cracked, or stolen.


Audit

To determine if your Google Cloud API keys are regularly rotated (i.e. every 90 days), perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to APIs & Services console at https://console.cloud.google.com/apis/credentials.

04 In the main navigation panel, select Credentials to access the list of the API keys created for the selected Google Cloud Platform (GCP) project.

05 Click on the name (link) of the API key that you want to examine to access the key properties.

06 On the selected API key page, check the Creation date attribute value available in the right column to determine when the API key was created. If more than 90 days have passed since the key was created, the selected Google Cloud Platform (GCP) API key is not regenerated (rotated) on a regular basis.

07 Repeat steps no. 5 and 6 for each API key generated for the selected GCP project.

08 Repeat steps no. 2 – 7 for each project deployed within your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the ID of each project available in your Google Cloud account:

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project IDs:

PROJECT_ID
  cc-project5-112233
  cc-internal-123123
  cc-web-prod-111222

03 Run services api-keys list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the identifier of each active API key created for the selected project:

gcloud alpha services api-keys list
  --project=cc-project5-112233
  --format="table(uid)"

04 The command output should return the IDs of the active API keys:

UID:
  abcd1234-abcd-1234-abcd-1234abcd1234
  1234abcd-1234-abcd-1234-abcd1234abcd

05 Run services api-keys describe command (Windows/macOS/Linux) using the ID of the API key that you want to examine as the identifier parameter and custom query filters to describe the API key application restrictions configured for the selected key:

gcloud alpha services api-keys describe abcd1234-abcd-1234-abcd-1234abcd1234
  --format="json(createTime)"

06 The command output should return the API key creation date/time:

CREATE_TIME: 2020-10-25T09:01:20.329336Z

Check the timestamp returned by the services api-keys describe command output to determine when the selected API key was created. If more than 90 days have passed since the key was created, the selected Google Cloud Platform (GCP) API key is not regenerated (rotated) on a regular basis.

07 Repeat steps no. 5 and 6 for each API key generated for the selected GCP project.

08 Repeat steps no. 3 – 7 for each project deployed within your Google Cloud account.

Remediation / Resolution

To regenerate/rotate your Google Cloud API keys periodically (every 90 days), perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to APIs & Services console at https://console.cloud.google.com/apis/credentials.

04 In the main navigation panel, select Credentials to access the list of the API keys created for the selected Google Cloud Platform (GCP) project.

05 Click on the name of the API key that you want to regenerate (rotate).

06 On the selected API key page, choose the REGENERATE KEY button from the console top menu to initiate the rotation process.

07 In the confirmation box, choose REPLACE KEY to replace the selected API key with a new one and complete the regeneration (rotation) process. The new Google Cloud API key will be available immediately. Regenerating your API key could break existing client connectivity as your client/application will try to connect using the old key. Even if the old API key will continue to work for 24 hours after you generate a replacement key, it is strongly recommended to update your client(s) and/or application(s) to use the newly generated API key as soon as possible.

08 Repeat steps no. 5 – 7 to rotate other API keys created for the selected GCP project.

09 Repeat steps no. 2 – 8 for each project available within your Google Cloud account.

Using GCP CLI

01 Run services api-keys clone command (Windows/macOS/Linux) to re-create (clone) the API key that you want to rotate:

gcloud alpha services api-keys clone abcd1234-abcd-1234-abcd-1234abcd1234

02 The output should return the metadata available for the new API key:

Operation [operations/akmf.p7-123456789012-abcd1234-abcd-1234-abcd-1234abcd1234] complete. Result: {
  "@type":"type.googleapis.com/google.api.apikeys.v2.Key",
  "createTime":"2021-10-27T09:00:00.827886Z",
  "displayName":"cc-project5-api-key",
  "etag":"abcdabcdabcdabcdabcdab==",
  "keyString":"abcd1234abcd1234abcd1234abcd1234abcd123",
  "name":"projects/123456789012/locations/global/keys/abcdabcd-1234-abcd-1234-abcdabcdabcd",
  "uid":"abcdabcd-1234-abcd-1234-abcdabcdabcd",
  "updateTime":"2021-10-27T09:00:00.849225Z"
}

03 Use the new key returned as value for the "keyString" property (highlighted) in your application by passing it with key=API_KEY parameter.

04 (Optional) After the replacement key has been generated and added to your application code, you can delete the old (unneeded) API key to minimize exposure to attacks. Run services api-keys delete command (Windows/macOS/Linux) to remove the old API key from your Google Cloud Platform (GPC) project:

gcloud alpha services api-keys delete abcd1234-abcd-1234-abcd-1234abcd1234

05 The output should return the metadata available for the deleted API key:

Operation [operations/akmf.p12-123456789012-abcd1234-abcd-1234-abcd-1234abcd1234] complete. Result: {
  "@type":"type.googleapis.com/google.api.apikeys.v2.Key",
  "createTime":"2020-10-25T09:01:20.329336Z",
  "deleteTime":"2021-10-28T10:10:07.909888Z",
  "displayName":"cc-project5-api-key",
  "etag":"abcdabcdabcdabcdabcdab==",
  "keyString":"12341234abcdabcd12341234abcdabcd1234123",
  "name":"projects/683977297284/locations/global/keys/abcd1234-abcd-1234-abcd-1234abcd1234",
  "uid":"abcd1234-abcd-1234-abcd-1234abcd1234",
  "updateTime":"2021-10-28T10:10:07.937315Z"
}

06 Repeat steps no. 1 – 5 to rotate other API keys created for the selected GCP project.

07 Repeat steps no. 1 – 6 for each project available within your Google Cloud account.

References

Publication date Oct 28, 2021