Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API Keys perm name + privileges #4

Open
mykter opened this issue May 24, 2021 · 0 comments
Open

API Keys perm name + privileges #4

mykter opened this issue May 24, 2021 · 0 comments

Comments

@mykter
Copy link

mykter commented May 24, 2021

Thanks for the repo, it's very helpful as a defender putting together policies.

I think there are a couple of issues with the API keys route included in this tool and mentioned in the post.

My understanding is that API keys don't grant you access to any non-public resource, they just allow you to make API requests that are billed to a project and are identified as coming from a particular source application. ref https://cloud.google.com/docs/authentication#applications

Most Google Cloud APIs also support anonymous access to public data using API keys. However, API keys only identify the application, not the principal. When using API keys, the principal must be authenticated by other means.

I think any user that already has some permissions on a project already has more privileges than what is granted by an API key?

Separately the detector has the permission names wrong - serviceusage.apiKeys.{create,list} don't exist, it's apikeys.keys... instead.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mykter