For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-xrl.md. A documentation index is available at /llms.txt.

GCP API Keys should be restricted to only APIs that application needs access

Description

This rule verifies that every GCP API key constrains the services it can call. A key with no apiTargets set, or one whose target list contains the catch-all cloudapis.googleapis.com, is treated as unrestricted and grants access to every Google Cloud API the project has enabled. Restricting keys to the specific APIs an application actually uses limits the blast radius of a leaked key.

Remediation

For each flagged key, replace the unrestricted configuration with an explicit allow-list of the services the application needs. From the API Keys page in the Google Cloud Console, open the key, choose Restrict key under API restrictions, and select the specific services. The same change can be made with gcloud:

gcloud services api-keys update KEY_ID \
    --api-target=service=translate.googleapis.com \
    --api-target=service=storage.googleapis.com

Avoid cloudapis.googleapis.com as a target — it functions as “all APIs” and defeats the restriction.

References