Secret leaks often occur when a sensitive piece of authentication data is stored with the source code of an application. Considering the source code is intended to be deployed across multiple assets, including source code repositories or application hosting servers, the secrets might get exposed to an unintended audience.
In most cases, trust boundaries are violated when a secret is exposed in a source code repository or an uncontrolled deployment environment. Unintended people who don’t need to know the secret might get access to it. They might then be able to use it to gain unwanted access to associated services or resources.
The trust issue can be more or less severe depending on the people’s role and entitlement.
Google API keys are used to authenticate applications that consume Google Cloud APIs.
API keys are not strictly secret as they are often embedded into client-side code or mobile applications that consume Google Cloud APIs. Still, they should be secured.
An unrestricted Google API key being disclosed in a public source code could be used by malicious actors to consume Google APIs on behalf of your
application.
This will have a financial impact as your organization will be billed for the data consumed by the malicious actor.
If your account has enabled quota to cap the API consumption of your application, this quota can be exceeded, leaving your application unable to request the Google APIs it requires to function properly.
Depending on the sensitivity of the key use, only administrators should have access to the Google API keys used by your application.
For client-facing keys
If the key must be sent to clients for the service to run properly, then it does not need to be revoked or added to a Vault, ignore the following
sections.
However, it is important to apply Google’s guidelines to secure
the API keys.
These best practices will help mitigate abuse of this key.
Revoke the secret
Revoke any leaked secrets and remove them from the application source code.
Before revoking the secret, ensure that no other applications or processes are using it. Other usages of the secret will also be impacted when the secret is revoked.
Use a secret vault
A secret vault should be used to generate and store the new secret. This will ensure the secret’s security and prevent any further unexpected disclosure.
Depending on the development platform and the leaked secret type, multiple solutions are currently available.
props.set("google-api-key", "zAIJf4Six4MjGwxvkarrf1LPUaCdyNSjzsyIoRI") // Noncompliant
props.set("google-api-key", System.getenv("GOOGLE_API_KEY"))