{"slug": "securing-google-api-keys", "title": "Securing Google API Keys", "summary": "Google Cloud has issued a security advisory urging developers to restrict API keys used for AI services like Gemini, following reports of hijacked keys leading to compromised environments. The company recommends creating keys in isolated projects and limiting both API access and client applications to the minimum required services. These steps reduce the potential damage from exposed keys, which can otherwise be misused by attackers to consume paid tokens or abuse cloud resources.", "body_md": "# Securing Google API Keys\n\n*This post was originally published on Google Cloud Blog for Developers and is posted here for “bookkeeping”.*\n\n**Disclaimer:** This post is not about costs or disputing billing charges caused by API keys use.\n\n## API Keys Are Open Secrets\n\nToday, AI services rely heavily on API keys. To run AI agents, users provide API keys that signify paid tokens, subscriptions, or paid accounts. While API keys are easy to use, it is just as easy to use them unsafely. The result of a hijacked key is a compromised environment that is misused or abused by perpetrators.\n\nI decided to write this blog post after seeing a thread in the r/googlecloud subreddit asking for a tutorial so users can go and protect themselves. In this post, you will find a few simple steps you can take to reduce your risks and improve the security of API keys created by Google.\n\nYou use Google API keys to access Gemini and other AI Google products as well as Google Cloud APIs. In fact, a Gemini API key is actually a standard Google API key behind the scenes. While I will be focusing on Google API key security, you can apply some of these recommendations to API keys and product tokens created elsewhere.\n\n## Step 1: Generate a New API Key\n\nRegardless of where you start, you end up creating a new API key in one of Google Cloud projects. You probably will use [Credentials](https://console.cloud.google.com/apis/credentials) under the “APIs & Services” menu in the Cloud console.\n\nOr you may use `gcloud services api-keys create`\n\n[command](https://docs.cloud.google.com/sdk/gcloud/reference/services/api-keys/create) instead. Or there is some other interface which will create a new Google Cloud API key. Regardless of the path and the interface, you need to do the following:\n\n- Create the key in a stand alone project that is not used for any other purpose.\n- Restrict API access and client applications for the new API key.\n\nThese steps limit the potential reach of the key and greatly simplify troubleshooting activities if something goes wrong.\n\n### API Restrictions\n\nAPI restrictions define exactly which services can be accessed using a specific API key. To keep your environment secure, always limit this list to the absolute minimum set of services required. While the Google Cloud console now prevents the creation of entirely unrestricted keys, it can still be tempting to add extra APIs to “future-proof” or speed up development. However, we strongly advise against this. By strictly adhering to the principle of least privilege, you significantly reduce the potential damage (or “blast radius”) if a key is ever accidentally exposed or hijacked.\n\nIt is also important to audit keys generated automatically through integrated developer tools. For example, creating an API key in Firebase restricts the use to 24 APIs including Datastore, Firestore, Cloud SQL Admin and others.\n\nIf you use Firebase to store your website you probably will not use most of them. When you create an API key to use with AI Studio, restrict it to only “Gemini API”.\n\n**Attention points:**\n\n- If you search for an API that you want to select but it is missing, this API is probably not enabled in the Google Cloud project that you use. Go to the\n[API Library](https://console.cloud.google.com/apis/library)in your Cloud console, find the API by name and enable it first. - You can do all actions using the Cloud console or gcloud CLI. Other interfaces (e.g. Firebase) may not provide you with access to all parameters of the API keys\n\n### Application Restrictions\n\nSimilar to API restrictions that limit what services your key can be used for, Application Restrictions limit the applications which can use the key. For example, if you create an API key only for use with Google AI Studio, setting up the application restrictions to the website “[https://aistudio.google.com/](https://aistudio.google.com/)” will prevent using your key by automations that utilize Gemini and consume a high volume of tokens at scale.\n\nYou can set up one or more restrictions of one of the following types:\n\n**Website**/** Web application**using the list of URLs** Services**using the list of IPv4 or IPv6 address or a subnet masks** iOS applications**using the list of Bundle IDs** Android applications**using the list of pairs of the package name and certificate fingerprint\n\nNote that you can restrict the key to a single application type only. Create a designated API key for each application type. Having a key per application type helps when observing the key usage and investigating potentially compromised keys.\n\n## Step 2: Store API key\n\nI want to reiterate that the API key is not paired with your identity. **ANYONE** can use it. So, storing the key securely is as important as restricting the key use in Step 1.\n\nThe rule is simple: NEVER EVER store the key where it can be easily seen.\n\n**If you use an API key in your application**, store it in [Secret Manager](https://docs.cloud.google.com/secret-manager/docs/best-practices) or a similar secret management service. Secret Manager allows you to inject your API key into [Cloud Run](https://docs.cloud.google.com/run/docs/configuring/services/secrets) and [GKE](https://docs.cloud.google.com/secret-manager/docs/secret-manager-managed-csi-component) environments easily. However, to elevate the key protection you may want to read the key in your code instead. See [documentation](https://docs.cloud.google.com/secret-manager/docs/samples/secretmanager-get-secret) for an example.\n\n**If you use an API key with an external application** that asks you to type in the key, take extra steps to explore how the application manages your key. You would need to find out how the key is stored and how it is used in the requests. For Web applications, you may use browser developer tools to inspect application traffic and ensure that the key is never sent in an unencrypted communication channel. For example, Google AI Studio uses encrypted local storage and sends the key via a TLS-encrypted channel.\n\n## If Something Goes Wrong\n\n**What to do if you suspect that your key is compromised?** The straightforward action is the same as with a credit card. First thing ‒ delete the key. You can do it in the Cloud console or using `gcloud services api-keys delete`\n\n[command](https://docs.cloud.google.com/sdk/gcloud/reference/services/api-keys/delete). If you find out that it was a false alarm, you can [undelete](https://docs.cloud.google.com/sdk/gcloud/reference/services/api-keys/undelete) during the next 30 days.\n\n**What if you do not know which key is compromised?** In that case you need to do a two-step investigation:\n\n- Find out all API keys in your organization or project(s)\n- Check the graph of API consumption for APIs this key allowing to access\n\n### Find out all your API keys\n\nThere is more than one way to find your API key resources. You can use [Asset Inventory](https://console.cloud.google.com/iam-admin/asset-inventory/dashboard) in the Cloud console and filter the dashboard by the **Resource type** to check `apikeys.Key`\n\n. If you do not see this resource type, find and click on “View more…” to expand the resource type list. Note that the list shows deleted API keys as well.\n\nIf you favor CLI, and you know specific project(s) you can use the `gcloud services api-keys list`\n\n[command](https://docs.cloud.google.com/sdk/gcloud/reference/services/api-keys/list).\n\nTo see all active keys in your organization, you will need to use the `gcloud asset search-all-resources`\n\n[command](https://docs.cloud.google.com/sdk/gcloud/reference/asset/search-all-resources) and query its JSON output to filter out deleted keys:\n\n```\ngcloud asset search-all-resources \\\n  --scope='organizations/123456789012' \\\n  --asset-types='apikeys.googleapis.com/Key' \\\n  --read-mask=\"name,displayName,versionedResources\" \\\n  --format=json \\\n  --order-by='createTime' \\\n| jq '.[] | select(.versionedResources | all(.resource.data.deleteTime == null))'\n```\n\n### Find out API consumption\n\nThere is a way to track the usage of the API key. You can do it using the Cloud Monitoring [metric](https://docs.cloud.google.com/apis/docs/monitoring#expandable-1) `serviceruntime.googleapis.com/api/request_count`\n\n. This metric shows a number of times different services have been invoked. To see the number of service requests for a particular API key you will need to use the metric’s label `credential_id`\n\nand filter it by the API key unique ID. You can see the metric data using [Metrics explorer](https://console.cloud.google.com/monitoring/metrics-explorer) or use the Monitoring API with the following [PromQL](https://docs.cloud.google.com/monitoring/promql) expression:\n\n```\nsum(\n  rate({\n    \"__name__\"=\"serviceruntime.googleapis.com/api/request_count\",\n        \"monitored_resource\"=\"consumed_api\",\n        \"credential_id\"=\"apikey:00000000-0000-0000-0000-000000000000\"\n  }[${__interval}])\n)\n```\n\nYou can further filter this metric by `service_name`\n\nlabel using API name (e.g. `mapstools.googleapis.com`\n\n).\n\nIn order to find out the API key ID you will need to use one of the following methods:\n\n**Using the Cloud console,** open the[Credentials](https://console.cloud.google.com/apis/credentials)page and select the API key that you want. Inspect URL of the API key page in the browser which will look like:`https://console.cloud.google.com/apis/credentials/key/[KEY_ID]?project=[PROJECT_ID]`\n\n. Copy the`[KEY_ID]`\n\npart.**Using gcloud CLI**, run the`gcloud services api-keys list --format='value(displayName,uid)'`\n\ncommand and find the key by its display name. Copy the UID next to the display name.\n\nAbnormally high level of API invocations usually indicates that the API key was compromised and used to access API by a malicious party.\n\n## Step 3: API key management hygiene\n\nWhether you are an engineer, an experienced cloud user or just came to experiment, keeping proper API key hygiene is important to avoid your environment being hijacked from you.\n\n**If you already use Google API keys take the following steps right now**:\n\n- Find out all API keys that you have\n- Delete all keys that you no longer use or do not recognize (do not worry, you can restore them during next 30 days)\n- Restrict API keys to only APIs that you intend to use. Narrow the list of clients that can use the APIs if you can\n- If you administer your Google Cloud projects or organization, consider setting up the\n[apikeys.googleapis.com/Key](https://docs.cloud.google.com/api-keys/docs/custom-constraints)org policy to minimize wrangling API keys - Consider periodically rotating (refreshing) your API keys by replacing them with newly created ones that share the exact same restrictions. Just be careful to track down and update all places where your existing key is used before deleting it to prevent unexpectedly breaking your application or abruptly losing access to one.\n\n## Wrapping up\n\nSecuring API keys is a vital step in protecting your cloud ecosystem. Implementing strict API and application restrictions, utilizing secure storage, and proactively monitoring consumption are highly effective ways to prevent unauthorized access. These practices safeguard your development environment from exploitation and prevent unexpected billing charges.\n\nTo help you implement these practices, here are a few practical tools and resources you can explore next:\n\n**Check more about APIs:** Review[Best practices for managing API keys](https://docs.cloud.google.com/docs/authentication/api-keys-best-practices)and practice[Search for and use Google APIs](https://codelabs.developers.google.com/search-for-and-select-google-apis#0).**Watch a quick tutorial:** Check out this great Google Cloud Tech video on[Manage your Cloud Run secrets securely with Secret Manager](https://www.youtube.com/watch?v=JIE89dneaGo&t=91s)to see secure storage concepts in action.**Get hands-on with a Codelab:** Practice fetching credentials safely in a guided environment by trying Secret Manager with[Python](https://codelabs.developers.google.com/codelabs/secret-manager-python#0)or with[Spring Boot](https://codelabs.developers.google.com/codelabs/cloud-spring-cloud-gcp-secret-manager#0)codelabs.**Dive deeper into the docs:** Learn about how to[select metrics](https://docs.cloud.google.com/monitoring/charts/metrics-selector),[create charts](https://docs.cloud.google.com/monitoring/charts/metrics-explorer)and[set up alerts](https://docs.cloud.google.com/monitoring/alerts)to observe your API consumption.", "url": "https://wpnews.pro/news/securing-google-api-keys", "canonical_source": "https://leoy.blog/posts/securing-google-api-keys/", "published_at": "2026-05-29 20:12:43+00:00", "updated_at": "2026-05-29 22:30:43.999697+00:00", "lang": "en", "topics": ["ai-safety", "ai-tools", "ai-products", "ai-infrastructure", "ai-agents"], "entities": ["Google", "Gemini", "Google Cloud", "Google Cloud Blog", "Credentials", "APIs & Services", "Cloud console", "gcloud"], "alternates": {"html": "https://wpnews.pro/news/securing-google-api-keys", "markdown": "https://wpnews.pro/news/securing-google-api-keys.md", "text": "https://wpnews.pro/news/securing-google-api-keys.txt", "jsonld": "https://wpnews.pro/news/securing-google-api-keys.jsonld"}}