# GCP - API Keys Unauthenticated Enum {{#include ../../../banners/hacktricks-training.md}} ## API Keys For more information about API Keys check: {{#ref}} ../gcp-services/gcp-api-keys-enum.md {{#endref}} ### OSINT techniques **Google API Keys are widely used by any kind of applications** that uses from the client side. It's common to find them in for websites source code or network requests, in mobile applications or just searching for regexes in platforms like Github. The regex is: **`AIza[0-9A-Za-z_-]{35}`** Search it for example in Github following: [https://github.com/search?q=%2FAIza%5B0-9A-Za-z\_-%5D%7B35%7D%2F\&type=code\&ref=advsearch](https://github.com/search?q=%2FAIza%5B0-9A-Za-z_-%5D%7B35%7D%2F&type=code&ref=advsearch) ### Check origin GCP project This is extremely useful to check to **which GCP project an API key that you have found belongs to**. We have different options: - Contact `https://www.googleapis.com/identitytoolkit/v3/relyingparty/getProjectConfig?key=` For the sake of brevity the output was truncated, but in the complete output the project ID appears more than 5 times ```bash curl -s "https://www.googleapis.com/identitytoolkit/v3/relyingparty/getProjectConfig?key=AIzaSyD[...]uE8Y" { "error": { "code": 403, "message": "Identity Toolkit API has not been used in project 943955951114 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/identitytoolkit.googleapis.com/overview?project=943955951114 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.", [...] ``` - Contact `https://identitytoolkit.googleapis.com/v1/projects?key=` For the sake of brevity the output was truncated, but in the complete output the project ID appears more than 5 times ```bash curl -s "https://identitytoolkit.googleapis.com/v1/projects?key=AIzaSyD[...]uE8Y" { "error": { "code": 403, "message": "Identity Toolkit API has not been used in project 943955951114 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/identitytoolkit.googleapis.com/overview?project=943955951114 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.", [...] ``` - [This one no longer works!] `apikeys.keys.lookup` ```bash # If you have permissions gcloud services api-keys lookup AIzaSyD[...]uE8Y name: projects/5[...]6/locations/global/keys/28d[...]e0e parent: projects/5[...]6/locations/global # If you don't, you can still see the project ID in the error msg gcloud services api-keys lookup AIzaSy[...]Qbkd_oYE ERROR: (gcloud.services.api-keys.lookup) PERMISSION_DENIED: Permission 'apikeys.keys.lookup' denied on resource project. Help Token: ARD_zUaNgNilGTg9oYUnMhfa3foMvL7qspRpBJ-YZog8RLbTjCTBolt_WjQQ3myTaOqu4VnPc5IbA6JrQN83CkGH6nNLum6wS4j1HF_7HiCUBHVN - '@type': type.googleapis.com/google.rpc.PreconditionFailure violations: - subject: ?error_code=110002&service=cloudresourcemanager.googleapis.com&permission=serviceusage.apiKeys.getProjectForKey&resource=projects/89123452509 type: googleapis.com - '@type': type.googleapis.com/google.rpc.ErrorInfo domain: apikeys.googleapis.com metadata: permission: serviceusage.apiKeys.getProjectForKey resource: projects/89123452509 service: cloudresourcemanager.googleapis.com reason: AUTH_PERMISSION_DENIED ``` ### Brute Force API endspoints As you might not know which APIs are enabled in the project, it would be interesting to run the tool [https://github.com/ozguralp/gmapsapiscanner](https://github.com/ozguralp/gmapsapiscanner) and check **what you can access with the API key.** {{#include ../../../banners/hacktricks-training.md}}