-2

During the development of the application, we had a test api key that was stored in the application. Before the release, we removed this key, but now the vulnerability search system reports that the key is still in the git history. It was not possible to find the account to which this key belongs. Question - is it possible to disable the key in some other way?

I was looking for key validation capabilities in the documentation.

UPD: The key is still active. I want to invalidate key. Make it inactive. I understand that it will not be possible to remove them from the history of the git

Vladimir Radko
  • 1
  • 1
  • 2
    If key is committed in GIT, it will stay in history and will be reported by vulnerability search systems. So what you want - rewrite git history or remove key from 3rd party system? – Justinas Jul 25 '23 at 07:58
  • The key is still active. I want to invalidate key. Make it inactive. I understand that it will not be possible to remove them from the history of the git – Vladimir Radko Jul 25 '23 at 08:20
  • 2
    Why do you think it's not possible? It is, just requires more work [1](https://stackoverflow.com/questions/872565/remove-sensitive-files-and-their-commits-from-git-history) – Justinas Jul 25 '23 at 08:25
  • Then you need to delete the key from the Google Cloud console: https://console.cloud.google.com/google/maps-apis/credentials?project=YOUR_PROJECT – vpgcloud Jul 26 '23 at 19:27

2 Answers2

0

If no other applications use this key, you can just delete the API key from the GCP project.

If other applications do use this key, a key rotation process for those other applications should be started before deleting the key.

If key rotation is not an option, your only remaining option are referrer restrictions on that key - something you should be doing always, anyways.

Update in response to comment:

Then you need to delete the key from the Google Cloud console: https://console.cloud.google.com/google/maps-apis/credentials?project=YOUR_PROJECT

vpgcloud
  • 1,294
  • 2
  • 10
  • 19
0

You can modify the history of commits to remove it.

Let's say, your initial commit was Commit1, and this was added in Commit2. Now you are on Commit3. You can add a Commit4 removing the key, and squash Commit2, Commit3 and Commit4.

kikoso
  • 673
  • 1
  • 6
  • 17