Whitelisting App Engine IPs in Google APIs console

2,330 views
Skip to first unread message

Alexander Konovalenko

unread,
Jun 19, 2011, 2:47:33 PM6/19/11
to Google App Engine group
When you are using a Google API (such as the Prediction API) from a
server-side app, the Google APIs Console lets you limit API requests
to those originating from known IP addresses or ranges [1, 2]. If you
set a whitelist and an API request comes from a non-whitelisted
address, the request will be rejected.

This can be really useful if you use some Google APIs from
browser-embedded JavaScript and other Google APIs only from server
side. All APIs share the same API key which can be retrieved by
examining or debugging your JavaScript. A malicious third party could
learn your API key by viewing the source of your site and then use the
key to issue calls to other Google APIs in your name, even if you only
use those other APIs from your server-side app.

Currently we cannot whitelist App Engine because the IP addresses used
by the app servers, backends and the URL fetch service are not known
in advance. I filed a request to add a button on the Google APIs
console to whitelist App Engine. If you're interested, feel free to
star it or add your comments:

http://code.google.com/p/googleappengine/issues/detail?id=5219

[1] Google APIs Console, Quotas pane
https://code.google.com/apis/console#:quotas

[2] Google APIs Console Help, section "Whitelisting by IP Address
(Server-side applications)"
https://code.google.com/apis/console-help/#whitelistingbyip

Brandon Wirtz

unread,
Jun 19, 2011, 3:25:10 PM6/19/11
to google-a...@googlegroups.com
It is safer for you and for the people whose API you are accessing to put a
Proxy in the middle. I do this with a PHP proxy on another host. (search
the archive for the code)

Whitelisting Multi-tenant IP's effectively negates the API IP Restriction,
and allows someone to hit the API via a GAE Proxy. (which is why lots of
API's don't work from GAE)

http://code.google.com/p/googleappengine/issues/detail?id=5219

--
You received this message because you are subscribed to the Google Groups
"Google App Engine" group.
To post to this group, send email to google-a...@googlegroups.com.
To unsubscribe from this group, send email to
google-appengi...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/google-appengine?hl=en.


Nick Johnson (Google)

unread,
Jun 19, 2011, 10:23:08 PM6/19/11
to google-a...@googlegroups.com
Hi Alexander,

Sending API keys to the client probably isn't a good idea in any case, as that gives them carte blanche with the API that the key is for, even setting aside other APIs. You should use a proxy that handles authentication, instead.

-Nick Johnson

--
You received this message because you are subscribed to the Google Groups "Google App Engine" group.
To post to this group, send email to google-a...@googlegroups.com.
To unsubscribe from this group, send email to google-appengi...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.




--
Nick Johnson, Developer Programs Engineer, App Engine


Reply all
Reply to author
Forward
0 new messages