gcp.api-key
GCP API Key https://cloud.google.com/api-keys/docs/reference/rest/v2/projects.locations.keys#Key
Filters
metrics
Supports metrics filters on resources.
All resources that have cloud watch metrics are supported.
Docs on cloud watch metrics
Google Supported Metrics https://cloud.google.com/monitoring/api/metrics_gcp
Custom Metrics https://cloud.google.com/monitoring/api/v3/metric-model#intro-custom-metrics
- name: firewall-hit-count
resource: gcp.firewall
filters:
- type: metrics
name: firewallinsights.googleapis.com/subnet/firewall_hit_count
aligner: ALIGN_COUNT
days: 14
value: 1
op: greater-than
The period-start key allows you to align the metric window in two ways.
By default, using auto, the window is computed relative to the current time.
Alternatively, setting it to start-of-day aligns the window to full UTC calendar days,
beginning at 00:00:00 UTC and ending at current day 00:00:00 UTC.
- name: instance-low-cpu-last-full-day
resource: gcp.instance
filters:
- type: metrics
name: compute.googleapis.com/instance/cpu/utilization
aligner: ALIGN_MEAN
days: 1
value: 0.05
op: less-than
period-start: start-of-day
properties:
aligner:
enum:
- ALIGN_NONE
- ALIGN_DELTA
- ALIGN_RATE
- ALIGN_INTERPOLATE
- ALIGN_MIN
- ALIGN_MAX
- ALIGN_MEAN
- ALIGN_COUNT
- ALIGN_SUM
- REDUCE_COUNT_FALSE
- ALIGN_STDDEV
- ALIGN_COUNT_TRUE
- ALIGN_COUNT_FALSE
- ALIGN_FRACTION_TRUE
- ALIGN_PERCENTILE_99
- ALIGN_PERCENTILE_95
- ALIGN_PERCENTILE_50
- ALIGN_PERCENTILE_05
- ALIGN_PERCENT_CHANG
type: string
days:
type: number
filter:
type: string
group-by-fields:
items:
type: string
type: array
metric-key:
type: string
missing-value:
type: number
name:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type: string
period-start:
enum:
- auto
- start-of-day
type: string
reducer:
enum:
- REDUCE_NONE
- REDUCE_MEAN
- REDUCE_MIN
- REDUCE_MAX
- REDUCE_MEAN
- REDUCE_SUM
- REDUCE_STDDEV
- REDUCE_COUNT
- REDUCE_COUNT_TRUE
- REDUCE_COUNT_FALSE
- REDUCE_FRACTION_TRUE
- REDUCE_PERCENTILE_99
- REDUCE_PERCENTILE_95
- REDUCE_PERCENTILE_50
- REDUCE_PERCENTILE_05
type: string
type:
enum:
- metrics
value:
type: number
required:
- value
- name
- op
Permissions - monitoring.timeSeries.list
time-range
Filters api keys that have been changed during a specific time range.
policies:
- name: api_keys_not_rotated_more_than_90_days
resource: gcp.api-key
filters:
- not:
- type: time-range
value: 90
properties:
type:
enum:
- time-range
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
required:
- type
Permissions - apikeys.keys.list
Actions
delete
Delete a GCP API key.
policies:
- name: delete-unused-api-keys
resource: gcp.api-key
filters:
- type: time-range
value: 90
actions:
- delete
properties:
type:
enum:
- delete
required:
- type
Permissions - apikeys.keys.delete
patch
Patch mutable fields on a GCP API key.
Supports updating any combination of displayName, restrictions,
and annotations. At least one field must be provided.
The restrictions object accepts an optional apiTargets list and
exactly one of the following client restriction types:
browserKeyRestrictions–allowedReferrers[]serverKeyRestrictions–allowedIps[]androidKeyRestrictions–allowedApplications[]iosKeyRestrictions–allowedBundleIds[]
policies:
- name: restrict-unrestricted-api-keys
resource: gcp.api-key
filters:
- type: value
key: restrictions
value: absent
actions:
- type: patch
restrictions:
serverKeyRestrictions:
allowedIps:
- 192.0.2.0/24
apiTargets:
- service: translate.googleapis.com
annotations:
custodian-remediated: "true"
properties:
annotations:
type: object
displayName:
type: string
restrictions:
type: object
type:
enum:
- patch
required:
- type
Permissions - apikeys.keys.update