GCP - API Keys Unauthenticated Enum

Reading time: 3 minutes

API Keys

For more information about API Keys check:

GCP - API Keys Enum

OSINT techniques

Google API Keys are widely used by any kind of applications that uses from the client side. It's common to find them in for websites source code or network requests, in mobile applications or just searching for regexes in platforms like Github.

The regex is: AIza[0-9A-Za-z_-]{35}

Search it for example in Github following: https://github.com/search?q=%2FAIza%5B0-9A-Za-z_-%5D%7B35%7D%2F&type=code&ref=advsearch

Check origin GCP project - apikeys.keys.lookup

This is extremely useful to check to which GCP project an API key that you have found belongs to:

# If you have permissions
gcloud services api-keys lookup AIzaSyD[...]uE8Y
name: projects/5[...]6/locations/global/keys/28d[...]e0e
parent: projects/5[...]6/locations/global

# If you don't, you can still see the project ID in the error msg
gcloud services api-keys lookup AIzaSy[...]Qbkd_oYE
ERROR: (gcloud.services.api-keys.lookup) PERMISSION_DENIED: Permission 'apikeys.keys.lookup' denied on resource project.
Help Token: ARD_zUaNgNilGTg9oYUnMhfa3foMvL7qspRpBJ-YZog8RLbTjCTBolt_WjQQ3myTaOqu4VnPc5IbA6JrQN83CkGH6nNLum6wS4j1HF_7HiCUBHVN
- '@type': type.googleapis.com/google.rpc.PreconditionFailure
  violations:
  - subject: ?error_code=110002&service=cloudresourcemanager.googleapis.com&permission=serviceusage.apiKeys.getProjectForKey&resource=projects/89123452509
    type: googleapis.com
- '@type': type.googleapis.com/google.rpc.ErrorInfo
  domain: apikeys.googleapis.com
  metadata:
    permission: serviceusage.apiKeys.getProjectForKey
    resource: projects/89123452509
    service: cloudresourcemanager.googleapis.com
  reason: AUTH_PERMISSION_DENIED

Brute Force API endspoints

As you might not know which APIs are enabled in the project, it would be interesting to run the tool https://github.com/ozguralp/gmapsapiscanner and check what you can access with the API key.