steampipe plugin install gcp

Table: gcp_apikeys_key - Query GCP API Keys using SQL

Google Cloud Platform (GCP) API Keys are unique identifiers used to authenticate users, applications, or devices to your APIs. They are used to track and control how the API is used, for example, to prevent malicious use or abuse of your APIs. API keys are project-centric, meaning they are created, managed, and used by APIs within a specific project.

Table Usage Guide

The gcp_apikeys_key table provides insights into API keys within Google Cloud Platform (GCP). As a developer or security analyst, explore key-specific details through this table, including permissions, creation time, and associated metadata. Utilize it to uncover information about keys, such as those with specific permissions, the usage of keys, and the verification of key restrictions.

Examples

Basic info

Explore which API keys in your Google Cloud Platform have restrictions. This allows you to determine the state of each key, providing insights into their creation time and the level of access they provide.

select
uid,
display_name,
create_time,
case
when restrictions is null then 'Unrestricted'
else 'Restricted'
end as state
from
gcp_apikeys_key;
select
uid,
display_name,
create_time,
case
when restrictions is null then 'Unrestricted'
else 'Restricted'
end as state
from
gcp_apikeys_key;

List all unrestricted keys

Explore which API keys in your Google Cloud Platform account have no set restrictions, allowing you to identify potential security risks. This can be useful in assessing the elements within your environment that may be open to misuse or unauthorized access.

select
uid,
display_name,
create_time,
case
when restrictions is null then 'Unrestricted'
else 'Restricted'
end as state
from
gcp_apikeys_key
where
restrictions is null;
select
uid,
display_name,
create_time,
case
when restrictions is null then 'Unrestricted'
else 'Restricted'
end as state
from
gcp_apikeys_key
where
restrictions is null;

Get api service restrictions associated with each key

Determine the restrictions linked with each API key to understand the allowed services. This can help manage access and maintain security by identifying which services are accessible with each key.

select
uid,
display_name,
a ->> 'service' as allowed_service
from
gcp_apikeys_key,
jsonb_array_elements(restrictions -> 'apiTargets') as a
where
restrictions is not null;
select
uid,
display_name,
json_extract(a.value, '$.service') as allowed_service
from
gcp_apikeys_key,
json_each(restrictions, '$.apiTargets') as a
where
restrictions is not null;

Get website restrictions associated with each key

Determine the areas in which each key has associated website restrictions. This query is useful in understanding the limitations set on each key, providing insights into potential access or usage constraints.

select
uid,
display_name,
a as allowed_website
from
gcp_apikeys_key,
jsonb_array_elements_text(
restrictions -> 'browserKeyRestrictions' -> 'allowedReferrers'
) as a
where
restrictions is not null;
select
uid,
display_name,
json_extract(
restrictions,
'$.browserKeyRestrictions.allowedReferrers'
) as allowed_website
from
gcp_apikeys_key
where
json_type(
restrictions,
'$.browserKeyRestrictions.allowedIps'
) = 'array';

Get ip restrictions associated with each key

Explore which API keys have associated IP restrictions in your Google Cloud Platform. This can help in identifying potential security risks and ensuring that only authorized IPs have access to your keys.

select
uid,
display_name,
a as allowed_ip
from
gcp_apikeys_key,
jsonb_array_elements_text(
restrictions -> 'serverKeyRestrictions' -> 'allowedIps'
) as a
where
restrictions is not null;
select
uid,
display_name,
json_extract(
restrictions,
'$.serverKeyRestrictions.allowedIps'
) as allowed_ip
from
gcp_apikeys_key
where
json_type(
restrictions,
'$.serverKeyRestrictions.allowedIps'
) = 'array';

Get iOS app restrictions associated with each key

Discover the segments that indicate the restrictions placed on each iOS application associated with a specific key. This can help in managing app permissions and ensuring the security of your digital assets.

select
uid,
display_name,
a as allowed_ios_bundle_id
from
gcp_apikeys_key,
jsonb_array_elements_text(
restrictions -> 'iosKeyRestrictions' -> 'allowedBundleIds'
) as a
where
restrictions is not null;
select
uid,
display_name,
a.value as allowed_ios_bundle_id
from
gcp_apikeys_key,
json_each(
restrictions,
'$.iosKeyRestrictions.allowedBundleIds'
) as a
where
restrictions is not null;

Get android app restrictions associated with each key

Identify the restrictions associated with each Android application in your Google Cloud Platform. This can help in managing and controlling access to your applications, thus enhancing security.

select
uid,
display_name,
a as allowed_android_apps
from
gcp_apikeys_key,
jsonb_array_elements(
restrictions -> 'androidKeyRestrictions' -> 'allowedApplications'
) as a
where
restrictions is not null;
select
uid,
display_name,
json_extract(
restrictions,
'$.androidKeyRestrictions.allowedApplications'
) as allowed_ip
from
gcp_apikeys_key
where
json_type(
restrictions,
'$.androidKeyRestrictions.allowedApplications'
) = 'array';

Control examples

Schema for gcp_apikeys_key

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
annotationsjsonbAnnotations is an unstructured key-value map stored with a policy that may be set by external tools to store and retrieve arbitrary metadata.
create_timetimestamp with time zoneA timestamp identifying the time this key was originally created.
delete_timetimestamp with time zoneA timestamp when this key was deleted.
display_nametextHuman-readable display name of this key that you can modify.
etagtextA checksum computed by the server based on the current value of the Key resource.
locationtextThe GCP multi-region, region, or zone in which the resource is located.
nametext=The resource name of the key.
projecttext=, !=, ~~, ~~*, !~~, !~~*The GCP Project in which the resource is located.
restrictionsjsonbThe restrictions on the key.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
titletextTitle of the resource.
uidtextUnique id in UUID4 format.
update_timetimestamp with time zoneA timestamp identifying the time this key was last updated.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- gcp

You can pass the configuration to the command with the --config argument:

steampipe_export_gcp --config '<your_config>' gcp_apikeys_key