Error 403 with Android restricted Google Cloud Platform API key

[kaifu...@gmail.com]

I have a problem to restrict a GCP API key usage to an android app. I have added its package name and certificate SHA-1 fingerprint but it doesn't work. The error I get when calling any API is

Unexpected response code 403  
"code": 7,  
"message": "Client application blocked.",  
"details": [ 
  "@type": "type.googleapis.com/google.rpc.DebugInfo", 
  "stackEntries": [],
  "detail": "service_control" 
]

Any suggestion is appreciated, thanks.

[dr...@google.com]

We need more details to identify the issue. Are you using Endpoints Frameworks in Java? If not, what flavor of Endpoints are you using (OpenAPI, gRPC)?

Can you show us how you configured your endpoint to require an API key? How are you making the call?

In the meantime, here are some relevant links that might help you:

https://stackoverflow.com/questions/31589308/how-does-google-verify-android-sha1-fingerprints-and-packages

If you are using Endpoints Frameworks, these docs are relevant:

https://cloud.google.com/endpoints/docs/frameworks/java/restricting-api-access-with-api-keys-frameworks

https://cloud.google.com/endpoints/docs/frameworks/control-api-callers

https://cloud.google.com/endpoints/docs/frameworks/java/calling-from-android

[kaifu...@gmail.com]

We are using Cloud Endpoints OpenAPI in GAE flex env, and the API key was restricted by package name and SHA-1 fingerprint:

OpenAPI security definitions:

paths: 

  /method_path: 

    get: 

      responses: 

        '200': 

          description: OK 

      security: 

        - api_key: []

securityDefinitions: 
  api_key: 
    type: apiKey 
    name: key 
    in: query 

We have added headers in the requests header: X-Android-Cert=3E:{skip}:27 X-Android-Package=com.xxx.xxx

But endpoint still responds 403 error: {"code":7,"message":"Client application blocked.","details":[{"@type":"type.googleapis.com\/google.rpc.DebugInfo","stackEntries":[],"detail":"service_control"}]}

How can I debug this issue?

By the way, HTTP referrers restriction works well.

[kaifu...@gmail.com]

Just realize that the X-Android-Cert should be hex string format without colons.

[dr...@google.com]

Just to confirm, were you able to get it to work? You are correct about the SHA signature needing to be a hex string in the header.

See this post for more information on how to do that: https://stackoverflow.com/questions/33989062/restricting-usage-for-an-android-key-for-a-google-api/42851756#42851756

If it still doesn't work, can you try making a curl request with a non-restricted API key?

curl "${ENDPOINTS_HOST}/method_path?key=${YOUR_KEY}"

If that works, then it means the problem is in the Android code. If it doesn't it means there is something wrong in the Endpoints configuration.

You might also be able to get some information for debugging from logs in Stackdriver.

One thing that seems to be wrong in the OpenAPI security definition is the indentation of '- api_key', it should be:

[Mila Popovic]

Hello all, I am new to this group. I have set up endpoint, and restricted API key to work only with my app. It works when i send request with headers with package name and SHA signature. But this doesn't make sense.. the signing key should not be sent in http requests, this is insecure. It is better to keep API key unrestricted then to send signing key which should be a secret.

I have expected that endpoint should be able to identify my app and signing key on it's own? How is this actually supposed to work? How to solve:

{"message":"PERMISSION_DENIED:Client application blocked.","code":403}

without exposing app's signing key?

[Pedro Moreno]

Please could you provide more details as seen in the previous messages? Like which types of endpoints framework is being used, also the configuration of the endpoint to require the API key as it may give us more understanding of the possible issue. 

Also it will help a lot to know if you are following any guide on the process.