API Keys should only be used for services in cases where other authentication methods are unavailable. Unused keys with their permissions in tact may still exist within a project. Keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to use standard authentication flow instead.
Risk
Security risks involved in using API-Keys appear below: API keys are simple encrypted strings, API keys do not identify the user or the application making the API request, API keys are typically accessible to clients, making it easy to discover and steal an API key.
prowler gcp --checks apikeys_key_exists
Recommendation
To avoid the security risk in using API keys, it is recommended to use standard authentication flow instead.
Remediation
gcloud alpha services api-keys delete
Source Code
Resource Type
API Key