In most cases, trust boundaries are violated when a secret is exposed in a source code repository or an uncontrolled deployment environment.
Unintended people who don’t need to know the secret might get access to it. They might then be able to use it to gain unwanted access to associated
services or resources.
The trust issue can be more or less severe depending on the people’s role and entitlement.
What is the potential impact?
Google API keys are used to authenticate applications that consume Google Cloud APIs.
API keys are not strictly secret as they are often embedded into client-side code or mobile applications that consume Google Cloud APIs. Still,
they should be secured.
Financial loss
An unrestricted Google API key being disclosed in a public source code could be used by malicious actors to consume Google APIs on behalf of your
application.
This will have a financial impact as your organization will be billed for the data consumed by the malicious actor.
Denial of service
If your account has enabled quota to cap the API consumption of your application, this quota can be exceeded, leaving your application unable to
request the Google APIs it requires to function properly.
