---
title: GCP API Keys should be restricted to only APIs that application needs access
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > GCP API Keys should be restricted to
  only APIs that application needs access
---

# GCP API Keys should be restricted to only APIs that application needs access
 
## Description{% #description %}

This rule verifies that every GCP API key constrains the services it can call. A key with no `apiTargets` set, or one whose target list contains the catch-all `cloudapis.googleapis.com`, is treated as unrestricted and grants access to every Google Cloud API the project has enabled. Restricting keys to the specific APIs an application actually uses limits the blast radius of a leaked key.

## Remediation{% #remediation %}

For each flagged key, replace the unrestricted configuration with an explicit allow-list of the services the application needs. From the [API Keys page in the Google Cloud Console](https://console.cloud.google.com/apis/credentials), open the key, choose **Restrict key** under **API restrictions**, and select the specific services. The same change can be made with `gcloud`:

```bash
gcloud services api-keys update KEY_ID \
    --api-target=service=translate.googleapis.com \
    --api-target=service=storage.googleapis.com
```

Avoid `cloudapis.googleapis.com` as a target — it functions as "all APIs" and defeats the restriction.

## References{% #references %}

- [CIS Google Cloud Platform Foundation Benchmark v4.0.0 — control 1.14](https://www.cisecurity.org/benchmark/google_cloud_computing_platform)
- [Applying restrictions to API keys](https://cloud.google.com/docs/authentication/api-keys#api_restrictions)