GCP - API Keys Unauthenticated Enum

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

API Keys

For more information about API Keys check:

GCP - API Keys Enum

OSINT techniques

Google API Keys are widely used by any kind of applications that uses from the client side. It's common to find them in for websites source code or network requests, in mobile applications or just searching for regexes in platforms like Github.

The regex is: AIza[0-9A-Za-z_-]{35}

Search it for example in Github following: https://github.com/search?q=%2FAIza%5B0-9A-Za-z_-%5D%7B35%7D%2F&type=code&ref=advsearch

Check origin GCP project - `apikeys.keys.lookup`

This is extremely useful to check to which GCP project an API key that you have found belongs to:

# If you have permissions
gcloud services api-keys lookup AIzaSyD[...]uE8Y
name: projects/5[...]6/locations/global/keys/28d[...]e0e
parent: projects/5[...]6/locations/global

# If you don't, you can still see the project ID in the error msg
gcloud services api-keys lookup AIzaSy[...]Qbkd_oYE
ERROR: (gcloud.services.api-keys.lookup) PERMISSION_DENIED: Permission 'apikeys.keys.lookup' denied on resource project.
Help Token: ARD_zUaNgNilGTg9oYUnMhfa3foMvL7qspRpBJ-YZog8RLbTjCTBolt_WjQQ3myTaOqu4VnPc5IbA6JrQN83CkGH6nNLum6wS4j1HF_7HiCUBHVN
- '@type': type.googleapis.com/google.rpc.PreconditionFailure
  violations:
  - subject: ?error_code=110002&service=cloudresourcemanager.googleapis.com&permission=serviceusage.apiKeys.getProjectForKey&resource=projects/89123452509
    type: googleapis.com
- '@type': type.googleapis.com/google.rpc.ErrorInfo
  domain: apikeys.googleapis.com
  metadata:
    permission: serviceusage.apiKeys.getProjectForKey
    resource: projects/89123452509
    service: cloudresourcemanager.googleapis.com
  reason: AUTH_PERMISSION_DENIED

Brute Force API endspoints

As you might not know which APIs are enabled in the project, it would be interesting to run the tool https://github.com/ozguralp/gmapsapiscanner and check what you can access with the API key.

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousGCP - Unauthenticated Enum & Access NextGCP - App Engine Unauthenticated Enum

Last updated 5 months ago

API Keys

For more information about API Keys check:

GCP - API Keys Enum

OSINT techniques

The regex is: AIza[0-9A-Za-z_-]{35}

Check origin GCP project - apikeys.keys.lookup

This is extremely useful to check to which GCP project an API key that you have found belongs to:

# If you have permissions
gcloud services api-keys lookup AIzaSyD[...]uE8Y
name: projects/5[...]6/locations/global/keys/28d[...]e0e
parent: projects/5[...]6/locations/global

# If you don't, you can still see the project ID in the error msg
gcloud services api-keys lookup AIzaSy[...]Qbkd_oYE
ERROR: (gcloud.services.api-keys.lookup) PERMISSION_DENIED: Permission 'apikeys.keys.lookup' denied on resource project.
Help Token: ARD_zUaNgNilGTg9oYUnMhfa3foMvL7qspRpBJ-YZog8RLbTjCTBolt_WjQQ3myTaOqu4VnPc5IbA6JrQN83CkGH6nNLum6wS4j1HF_7HiCUBHVN
- '@type': type.googleapis.com/google.rpc.PreconditionFailure
  violations:
  - subject: ?error_code=110002&service=cloudresourcemanager.googleapis.com&permission=serviceusage.apiKeys.getProjectForKey&resource=projects/89123452509
    type: googleapis.com
- '@type': type.googleapis.com/google.rpc.ErrorInfo
  domain: apikeys.googleapis.com
  metadata:
    permission: serviceusage.apiKeys.getProjectForKey
    resource: projects/89123452509
    service: cloudresourcemanager.googleapis.com
  reason: AUTH_PERMISSION_DENIED

Brute Force API endspoints

As you might not know which APIs are enabled in the project, it would be interesting to run the tool https://github.com/ozguralp/gmapsapiscanner and check what you can access with the API key.

API Keys

OSINT techniques

Check origin GCP project - apikeys.keys.lookup

Brute Force API endspoints

API Keys

OSINT techniques

Check origin GCP project - apikeys.keys.lookup

Brute Force API endspoints

Check origin GCP project - `apikeys.keys.lookup`

Check origin GCP project - `apikeys.keys.lookup`