Remediation
From Google Cloud Consoleβ
- Go to
APIs & Services\Credentialsusing https://console.cloud.google.com/apis/credentials - In the section
API Keys, click theAPI Key Name. The API Key properties display on a new page. - Click
REGENERATE KEYto rotate the API key. - Click
Save. - Repeat steps 2, 3, and 4 for every API key that has not been rotated in the last 90 days.
Note: Do not set HTTP referrers to wildcards (* or *.[TLD] or .[TLD]/) allowing access to any HTTP referrer.
Do not set IP addresses and the referrer to any host (0.0.0.0 or 0.0.0.0/0 or ::0).
From Google Cloud CLIβ
There is not currently a way to regenerate an API key using gcloud commands. To regenerate a key, create a new one, duplicate the restrictions from the key being rotated, and delete the old key.
-
List existing keys.
gcloud services api-keys list -
Note the
UIDand restrictions of the key to regenerate. -
Run this command to create a new API key. {{key-name}} is the display name of the new key.
gcloud alpha services api-keys create \
--display-name="{{key-name}}"Note the
UIDof the newly created key. -
Run the update command to add required restrictions.
Note: the restriction may vary for each key. Refer to this documentation for the appropriate flags. https://cloud.google.com/sdk/gcloud/reference/alpha/services/api-keys/update
gcloud alpha services api-keys update {{uid-of-new-key}} -
Delete the old key.
gcloud alpha services api-keys delete {{uid-of-old-key}}