Jump to content

Publicly accessible Google API key for Google Cloud Platform project

Go to solution Solved by Randy Calvert,

Recommended Posts

Notification Suspicious Activity Alert
Publicly accessible Google API key for Google Cloud Platform project ****** (id: ******)
Dear Customer,


We have detected a publicly accessible Google API key associated with the following Google Cloud Platform project:

Project ****** (id: ******) with API key **************

The key was found at the following URL: https://www.internazionale.fr/articles/inter-milan/people-lauti-et-sa-femme-vont-bien-r17513/

We believe that you or your organization may have inadvertently published the affected API key in public sources or on public websites (for example, credentials mistakenly uploaded to a service such as GitHub.)

Please note that as the project/account owner, you are responsible for securing your keys. Therefore, we recommend that you take the following steps to remedy this situation:

  1. If this key is intended to be public (or if a publicly accessible key isn’t preventable):
    • Log in to the Google Cloud Console and review the API and billing activity on your account, ensuring the usage is in line with what you expected.
    • Add API key restrictions to your API key, if applicable.
  2. If this key was NOT meant to be public:
    • Regenerate the compromised API key: Search for Credentials in the cloud console platform, Edit the leaked key, and use the Regenerate Key button to rotate the key. For more details, review the instructions on handling compromised GCP credentials.
    • Take immediate steps to ensure that your API key(s) are not embedded in public source code systems, stored in download directories, or unintentionally shared in other ways.
    • Add API key restrictions to your API key, if applicable.

The security of your Google Cloud Platform account(s) is important to us.

Google Cloud Platform Trust & Safety





I juste received this email from Google.

Link to comment
Share on other sites

How is it possible ?
I follow every putain de steps :



Comment limiter ma clé API à des sites spécifiques ?

Utilisez un site Web pour limiter les URL pouvant se servir d'une clé API. En savoir plus 

Voici quelques exemples d'URL que vous pouvez autoriser pour configurer un site Web :

  • Toutes les URL contenues dans un seul domaine sans sous-domaines : https://example.com
  • Toutes les URL contenues dans un seul sous-domaine : https://sub.example.com
  • Tous les sous-domaines contenus dans un seul domaine et utilisant le caractère générique astérisque (*) : https://*.example.com
  • Un domaine et tous ses sous-domaines utilisant le caractère générique astérisque (*) :
  • Une URL contenant un port non standard : http://www.example.com:8000

Remarque : Les fragments et les paramètres de requête ne sont actuellement pas acceptés. Ils seront ignorés si vous les incluez dans un site Web.


It's limited to these 3 domains.

I added has Google ask. It's not send to everyone.

Link to comment
Share on other sites

  • Solution

The public key is intended to be that… public. It HAS to be in the request for your end user to view something that generates a map request. The private key is not shared. 

Google appears to be mass sending it to people.  The key is only shared in the way Google instructs it to be done.  Make sure you have proper restrictions so your key can be used from your domain and you’ll be fine. 

Edited by Randy Calvert
Link to comment
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...