Managing and Restricting Google API KEYS programmatically

2022-06-08

Just a snippet in golang that creates, lists and restricts Google API keys.

This snippet does nothing new that you can’t otherwise do through the google cloud console or via gcloud or via terraform google_apikeys_key resource.

I only began to write this today because a co-worker asked me about applying API key restricts using IP addresses for some services.

Note that the Best practices for securely using API keys for API key usage describes various restricts you should put into place when using some of the services that support it as a primary or secondary authentication mechanism:

For example, the following services support API keys (AFAIK, there are very few of them)

create api key

The tricky part about programmatic use of this specific API in go is Managing Long Running Operations (LRO) with Google Cloud Client Libraries…its just a bit awkward so i’ve included it twice in the snippet

the following snippet will

  1. create an api key with labels
  2. list all api keys
  3. get the raw api key value for the new key
  4. add ip restricts to the new key
  5. add api restricts to the new key
  6. use the api key for maps geocoding api
export PROJECT_ID=`gcloud config get-value core/project`
gcloud services enable geocoding-backend.googleapis.com

go run main.go --projectID=$PROJECT_ID

Creating Key
creating key ... operations/akmf.p7-248066739582-c73bd1cd-ee71-4e4d-9bf5-f36318d1f83b
creating key ... operations/akmf.p7-248066739582-c73bd1cd-ee71-4e4d-9bf5-f36318d1f83b
creating key ... operations/akmf.p7-248066739582-c73bd1cd-ee71-4e4d-9bf5-f36318d1f83b
Key String AIzaSyCZRmUMPexBgvU4DfYoj7UjiSbXtWTMedw

##  >> and yes, i've deleted this key before posting..

Iterating keys
key: projects/248066739582/locations/global/keys/8b0fe8b6-b279-447f-be63-2015d4d9cd08
   KeyString AIzaSyCZRmUMPexBgvU4DfYoj7UjiSbXtWTMedw

API Key raw project projects/248066739582/locations/global

Adding IP Restrict for key projects/248066739582/locations/global/keys/8b0fe8b6-b279-447f-be63-2015d4d9cd08
updating key... operations/akmf.p10-248066739582-3760ac71-3b57-428a-8436-1fb5c9a1ffcd
updating key... operations/akmf.p10-248066739582-3760ac71-3b57-428a-8436-1fb5c9a1ffcd
updating key... operations/akmf.p10-248066739582-3760ac71-3b57-428a-8436-1fb5c9a1ffcd
Key updated :true

Once all this is done, you can see the new key

gcloud alpha services api-keys list
    annotations:
      k1: v1
      k2: v2
    createTime: '2022-06-08T14:42:07.869042Z'
    displayName: my first key
    etag: W/"9Zv2bViwn/lV+tCY/uxkGQ=="
    name: projects/248066739582/locations/global/keys/8b0fe8b6-b279-447f-be63-2015d4d9cd08
    restrictions:
      apiTargets:
      - service: geocoding-backend.googleapis.com
      serverKeyRestrictions:
        allowedIps:
        - 71.126.189.22/32
        - 2600:4040:2098:a700:a927:617b:3d94:c3b6
    uid: 8b0fe8b6-b279-447f-be63-2015d4d9cd08
    updateTime: '2022-06-08T14:42:13.276940Z'

$ gcloud alpha services api-keys get-key-string 8b0fe8b6-b279-447f-be63-2015d4d9cd08
    keyString: AIzaSyCZRmUMPexBgvU4DfYoj7UjiSbXtWTMedw

$ gcloud alpha services api-keys lookup AIzaSyCZRmUMPexBgvU4DfYoj7UjiSbXtWTMedw
    name: projects/248066739582/locations/global/keys/8b0fe8b6-b279-447f-be63-2015d4d9cd08
    parent: projects/248066739582/locations/global

Now use the new API key:

export API_KEY=AIzaSyCZRmUMPexBgvU4DfYoj7UjiSbXtWTMedw
curl -v "https://maps.googleapis.com/maps/api/geocode/json?latlng=40.714224,-73.961452&key=$API_KEY"

This site supports webmentions. Send me a mention via this form.