Table: gcp_apikeys_key - Query GCP API Keys using SQL
Google Cloud Platform (GCP) API Keys are unique identifiers used to authenticate users, applications, or devices to your APIs. They are used to track and control how the API is used, for example, to prevent malicious use or abuse of your APIs. API keys are project-centric, meaning they are created, managed, and used by APIs within a specific project.
Table Usage Guide
The gcp_apikeys_key table provides insights into API keys within Google Cloud Platform (GCP). As a developer or security analyst, explore key-specific details through this table, including permissions, creation time, and associated metadata. Utilize it to uncover information about keys, such as those with specific permissions, the usage of keys, and the verification of key restrictions.
Examples
Basic info
Explore which API keys in your Google Cloud Platform have restrictions. This allows you to determine the state of each key, providing insights into their creation time and the level of access they provide.
select uid, display_name, create_time, case when restrictions is null then 'Unrestricted' else 'Restricted' end as statefrom gcp_apikeys_key;select uid, display_name, create_time, case when restrictions is null then 'Unrestricted' else 'Restricted' end as statefrom gcp_apikeys_key;List all unrestricted keys
Explore which API keys in your Google Cloud Platform account have no set restrictions, allowing you to identify potential security risks. This can be useful in assessing the elements within your environment that may be open to misuse or unauthorized access.
select uid, display_name, create_time, case when restrictions is null then 'Unrestricted' else 'Restricted' end as statefrom gcp_apikeys_keywhere restrictions is null;select uid, display_name, create_time, case when restrictions is null then 'Unrestricted' else 'Restricted' end as statefrom gcp_apikeys_keywhere restrictions is null;Get api service restrictions associated with each key
Determine the restrictions linked with each API key to understand the allowed services. This can help manage access and maintain security by identifying which services are accessible with each key.
select uid, display_name, a ->> 'service' as allowed_servicefrom gcp_apikeys_key, jsonb_array_elements(restrictions -> 'apiTargets') as awhere restrictions is not null;select uid, display_name, json_extract(a.value, '$.service') as allowed_servicefrom gcp_apikeys_key, json_each(restrictions, '$.apiTargets') as awhere restrictions is not null;Get website restrictions associated with each key
Determine the areas in which each key has associated website restrictions. This query is useful in understanding the limitations set on each key, providing insights into potential access or usage constraints.
select uid, display_name, a as allowed_websitefrom gcp_apikeys_key, jsonb_array_elements_text( restrictions -> 'browserKeyRestrictions' -> 'allowedReferrers' ) as awhere restrictions is not null;select uid, display_name, json_extract( restrictions, '$.browserKeyRestrictions.allowedReferrers' ) as allowed_websitefrom gcp_apikeys_keywhere json_type( restrictions, '$.browserKeyRestrictions.allowedIps' ) = 'array';Get ip restrictions associated with each key
Explore which API keys have associated IP restrictions in your Google Cloud Platform. This can help in identifying potential security risks and ensuring that only authorized IPs have access to your keys.
select uid, display_name, a as allowed_ipfrom gcp_apikeys_key, jsonb_array_elements_text( restrictions -> 'serverKeyRestrictions' -> 'allowedIps' ) as awhere restrictions is not null;select uid, display_name, json_extract( restrictions, '$.serverKeyRestrictions.allowedIps' ) as allowed_ipfrom gcp_apikeys_keywhere json_type( restrictions, '$.serverKeyRestrictions.allowedIps' ) = 'array';Get iOS app restrictions associated with each key
Discover the segments that indicate the restrictions placed on each iOS application associated with a specific key. This can help in managing app permissions and ensuring the security of your digital assets.
select uid, display_name, a as allowed_ios_bundle_idfrom gcp_apikeys_key, jsonb_array_elements_text( restrictions -> 'iosKeyRestrictions' -> 'allowedBundleIds' ) as awhere restrictions is not null;select uid, display_name, a.value as allowed_ios_bundle_idfrom gcp_apikeys_key, json_each( restrictions, '$.iosKeyRestrictions.allowedBundleIds' ) as awhere restrictions is not null;Get android app restrictions associated with each key
Identify the restrictions associated with each Android application in your Google Cloud Platform. This can help in managing and controlling access to your applications, thus enhancing security.
select uid, display_name, a as allowed_android_appsfrom gcp_apikeys_key, jsonb_array_elements( restrictions -> 'androidKeyRestrictions' -> 'allowedApplications' ) as awhere restrictions is not null;select uid, display_name, json_extract( restrictions, '$.androidKeyRestrictions.allowedApplications' ) as allowed_ipfrom gcp_apikeys_keywhere json_type( restrictions, '$.androidKeyRestrictions.allowedApplications' ) = 'array';Control examples
- 1.13 Ensure API keys are restricted to use by only specified Hosts and Apps
- 1.13 Ensure API keys are restricted to use by only specified Hosts and Apps
- 1.13 Ensure API keys are restricted to use by only specified Hosts and Apps
- 1.14 Ensure API keys are restricted to only APIs that application needs access
- 1.14 Ensure API keys are restricted to only APIs that application needs access
- 1.14 Ensure API keys are restricted to only APIs that application needs access
- 1.15 Ensure API keys are rotated every 90 days
- 1.15 Ensure API keys are rotated every 90 days
- 1.15 Ensure API keys are rotated every 90 days
- Ensure API keys are restricted to only APIs that application needs access
- Ensure API keys are restricted to use by only specified Hosts and Apps
- Ensure API keys are rotated every 90 days
- Project should not have use api keys
Schema for gcp_apikeys_key
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. | |
| akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
| annotations | jsonb | Annotations is an unstructured key-value map stored with a policy that may be set by external tools to store and retrieve arbitrary metadata. | |
| create_time | timestamp with time zone | A timestamp identifying the time this key was originally created. | |
| delete_time | timestamp with time zone | A timestamp when this key was deleted. | |
| display_name | text | Human-readable display name of this key that you can modify. | |
| etag | text | A checksum computed by the server based on the current value of the Key resource. | |
| location | text | The GCP multi-region, region, or zone in which the resource is located. | |
| name | text | = | The resource name of the key. |
| project | text | The GCP Project in which the resource is located. | |
| restrictions | jsonb | The restrictions on the key. | |
| title | text | Title of the resource. | |
| uid | text | Unique id in UUID4 format. | |
| update_time | timestamp with time zone | A timestamp identifying the time this key was last updated. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- gcpYou can pass the configuration to the command with the --config argument:
steampipe_export_gcp --config '<your_config>' gcp_apikeys_key