GCP - API Keys Unauthenticated Enum

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

API Keys

For more information about API Keys check:

OSINT techniques

Google API Keys are widely used by any kind of applications that uses from the client side. It's common to find them in for websites source code or network requests, in mobile applications or just searching for regexes in platforms like Github.

The regex is: AIza[0-9A-Za-z_-]{35}

Search it for example in Github following: https://github.com/search?q=%2FAIza%5B0-9A-Za-z_-%5D%7B35%7D%2F&type=code&ref=advsearch

Check origin GCP project - `apikeys.keys.lookup`

This is extremely useful to check to which GCP project an API key that you have found belongs to:

# If you have permissions
gcloud services api-keys lookup AIzaSyD[...]uE8Y
name: projects/5[...]6/locations/global/keys/28d[...]e0e
parent: projects/5[...]6/locations/global

# If you don't, you can still see the project ID in the error msg
gcloud services api-keys lookup AIzaSy[...]Qbkd_oYE
ERROR: (gcloud.services.api-keys.lookup) PERMISSION_DENIED: Permission 'apikeys.keys.lookup' denied on resource project.
Help Token: ARD_zUaNgNilGTg9oYUnMhfa3foMvL7qspRpBJ-YZog8RLbTjCTBolt_WjQQ3myTaOqu4VnPc5IbA6JrQN83CkGH6nNLum6wS4j1HF_7HiCUBHVN
- '@type': type.googleapis.com/google.rpc.PreconditionFailure
  violations:
  - subject: ?error_code=110002&service=cloudresourcemanager.googleapis.com&permission=serviceusage.apiKeys.getProjectForKey&resource=projects/89123452509
    type: googleapis.com
- '@type': type.googleapis.com/google.rpc.ErrorInfo
  domain: apikeys.googleapis.com
  metadata:
    permission: serviceusage.apiKeys.getProjectForKey
    resource: projects/89123452509
    service: cloudresourcemanager.googleapis.com
  reason: AUTH_PERMISSION_DENIED

Brute Force API endspoints

As you might not know which APIs are enabled in the project, it would be interesting to run the tool https://github.com/ozguralp/gmapsapiscanner and check what you can access with the API key.

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousGCP - Unauthenticated Enum & Access NextGCP - App Engine Unauthenticated Enum

Last updated 3 months ago

API Keys

OSINT techniques

Check origin GCP project - apikeys.keys.lookup

Brute Force API endspoints

Check origin GCP project - `apikeys.keys.lookup`