Managing and Restricting Google API KEYS programmatically
2022-06-08Just a snippet in golang that creates, lists and restricts Google API keys.
This snippet does nothing new that you can’t otherwise do through the google cloud console or via gcloud or via terraform google_apikeys_key resource.
I only began to write this today because a co-worker asked me about applying API key restricts using IP addresses for some services.
Note that the Best practices for securely using API keys for API key usage describes various restricts you should put into place when using some of the services that support it as a primary or secondary authentication mechanism:
For example, the following services support API keys (AFAIK, there are very few of them)
create api key
The tricky part about programmatic use of this specific API in go is Managing Long Running Operations (LRO) with Google Cloud Client Libraries…its just a bit awkward so i’ve included it twice in the snippet
the following snippet will
- create an api key with labels
- list all api keys
- get the raw api key value for the new key
- add ip restricts to the new key
- add api restricts to the new key
- use the api key for maps geocoding api
export PROJECT_ID=`gcloud config get-value core/project`
gcloud services enable geocoding-backend.googleapis.com
go run main.go --projectID=$PROJECT_ID
Creating Key
creating key ... operations/akmf.p7-248066739582-c73bd1cd-ee71-4e4d-9bf5-f36318d1f83b
creating key ... operations/akmf.p7-248066739582-c73bd1cd-ee71-4e4d-9bf5-f36318d1f83b
creating key ... operations/akmf.p7-248066739582-c73bd1cd-ee71-4e4d-9bf5-f36318d1f83b
Key String AIzaSyCZRmUMPexBgvU4DfYoj7UjiSbXtWTMedw
## >> and yes, i've deleted this key before posting..
Iterating keys
key: projects/248066739582/locations/global/keys/8b0fe8b6-b279-447f-be63-2015d4d9cd08
KeyString AIzaSyCZRmUMPexBgvU4DfYoj7UjiSbXtWTMedw
API Key raw project projects/248066739582/locations/global
Adding IP Restrict for key projects/248066739582/locations/global/keys/8b0fe8b6-b279-447f-be63-2015d4d9cd08
updating key... operations/akmf.p10-248066739582-3760ac71-3b57-428a-8436-1fb5c9a1ffcd
updating key... operations/akmf.p10-248066739582-3760ac71-3b57-428a-8436-1fb5c9a1ffcd
updating key... operations/akmf.p10-248066739582-3760ac71-3b57-428a-8436-1fb5c9a1ffcd
Key updated :true
Once all this is done, you can see the new key
gcloud alpha services api-keys list
annotations:
k1: v1
k2: v2
createTime: '2022-06-08T14:42:07.869042Z'
displayName: my first key
etag: W/"9Zv2bViwn/lV+tCY/uxkGQ=="
name: projects/248066739582/locations/global/keys/8b0fe8b6-b279-447f-be63-2015d4d9cd08
restrictions:
apiTargets:
- service: geocoding-backend.googleapis.com
serverKeyRestrictions:
allowedIps:
- 71.126.189.22/32
- 2600:4040:2098:a700:a927:617b:3d94:c3b6
uid: 8b0fe8b6-b279-447f-be63-2015d4d9cd08
updateTime: '2022-06-08T14:42:13.276940Z'
$ gcloud alpha services api-keys get-key-string 8b0fe8b6-b279-447f-be63-2015d4d9cd08
keyString: AIzaSyCZRmUMPexBgvU4DfYoj7UjiSbXtWTMedw
$ gcloud alpha services api-keys lookup AIzaSyCZRmUMPexBgvU4DfYoj7UjiSbXtWTMedw
name: projects/248066739582/locations/global/keys/8b0fe8b6-b279-447f-be63-2015d4d9cd08
parent: projects/248066739582/locations/global
Now use the new API key:
export API_KEY=AIzaSyCZRmUMPexBgvU4DfYoj7UjiSbXtWTMedw
curl -v "https://maps.googleapis.com/maps/api/geocode/json?latlng=40.714224,-73.961452&key=$API_KEY"
This site supports webmentions. Send me a mention via this form.