Does anyone know if and how both the creation and usage of an AI Studio API Key is logged (in GCP_CLOUDAUDIT logs)?
Solved
Logs for Google AI Studio Keys in Google Cloud?
+9- Silver 2
Best answer by matthewnichols
Hi
I did ask Gemini and here’s the response. Please let me know if this answers your questions. And remember this did come from Gemini so please double check everything. Let me know how much of Gemini’s response is correct so we can continue to build our process for you.
Detecting Key Creation (Admin Activity)
When someone creates an API key in Google AI Studio, it triggers an administrative action within the linked GCP project. These are logged as Admin Activity logs, which are enabled by default and are free of charge.
-
Service Name:
apikeys.googleapis.com -
Method Name:
google.api.apikeys.v2.ApiKeys.CreateKey -
Where to find it: Go to the Logs Explorer in your GCP Console and use the following filter:
-
What you’ll see: The log will include the
principalEmail(who created it) and therequest.key.displayName(the name they gave the key).
Detecting Key Usage (Data Access)
Tracking the usage of the key (i.e., when someone actually calls the Gemini API) is more complex. These are Data Access logs.
-
Status: Data Access logs for the Generative Language API are disabled by default because they can be high-volume.
-
How to enable:
-
Go to IAM & Admin > Audit Logs in your GCP Console.
-
Search for "Generative Language API".
-
Check the boxes for Data Read and Data Write.
-
-
The Logs: Once enabled, calls made with the API key will appear in your logs. You can filter for them using:
-
Note on Attribution: While the logs will show that a request was made, standard audit logs may not always explicitly link a specific "Data Access" event to a specific API Key ID by default. However, you will see the volume of traffic and the caller's IP/identity if they are authenticated.
Monitoring & Alerts
To "keep an eye" on this automatically, you should set up Log-based Alerts:
-
For Creation: Create an alert based on the
CreateKeyfilter mentioned above. You can have GCP send an email or a Slack notification whenever a new key is generated in your project. -
For Billing/Usage: Since you mentioned billing concerns, the best place to monitor this is actually the APIs & Services > Dashboard. Select "Generative Language API" to see usage spikes. For granular cost tracking, use Billing Reports grouped by "Service" or "SKU."
Summary Strategy
-
To catch the "Who": Use Admin Activity logs (Method:
CreateKey). -
To catch the "How Much": Enable Data Access logs for the Generative Language API and monitor your Billing Dashboard.
-
Security Best Practice: If you want to prevent users from creating these keys entirely, you can use an Organization Policy to restrict the creation of API keys or use IAM roles to remove the
serviceusage.apiKeys.createpermission from non-admin users.
+20- Community Manager
Hi
+11Regular AI Studio or Vertex AI Studio?
As the regular AI Studio exists outside of GCP, I would not expect API key creation to be logged to the Cloud Audit logs.
For Vertex AI Studio, the creation, modification, or deletion of an API key would be considered an Admin Activity and would be logged to GCP_CLOUDAUDIT. The actual use of the key to make requests is tracked via Data Access logs and would need to be enabled.
+9- Silver 2
I’m talking about API keys created at https://aistudio.google.com. You must provide a GCP Project ID when creating a key; that’s why I thought it could be logged in GCP audit logs.
If someone steals these keys, they can use them in their own tools.
According to Google's blog, threat actors could be targeting exactly this type of keys.
+9- Silver 2
Any opinion on this one?
How can we detect when someone creates Google AI Studio keys and binds them to a GCP project where the Gemini API is enabled? Eventually, the usage of those keys will be billed in GCP, and we want to keep an eye on who creates these keys, as well as how and when they do so.
+20- Community Manager
- Answer
Hi
I did ask Gemini and here’s the response. Please let me know if this answers your questions. And remember this did come from Gemini so please double check everything. Let me know how much of Gemini’s response is correct so we can continue to build our process for you.
Detecting Key Creation (Admin Activity)
When someone creates an API key in Google AI Studio, it triggers an administrative action within the linked GCP project. These are logged as Admin Activity logs, which are enabled by default and are free of charge.
-
Service Name:
apikeys.googleapis.com -
Method Name:
google.api.apikeys.v2.ApiKeys.CreateKey -
Where to find it: Go to the Logs Explorer in your GCP Console and use the following filter:
-
What you’ll see: The log will include the
principalEmail(who created it) and therequest.key.displayName(the name they gave the key).
Detecting Key Usage (Data Access)
Tracking the usage of the key (i.e., when someone actually calls the Gemini API) is more complex. These are Data Access logs.
-
Status: Data Access logs for the Generative Language API are disabled by default because they can be high-volume.
-
How to enable:
-
Go to IAM & Admin > Audit Logs in your GCP Console.
-
Search for "Generative Language API".
-
Check the boxes for Data Read and Data Write.
-
-
The Logs: Once enabled, calls made with the API key will appear in your logs. You can filter for them using:
-
Note on Attribution: While the logs will show that a request was made, standard audit logs may not always explicitly link a specific "Data Access" event to a specific API Key ID by default. However, you will see the volume of traffic and the caller's IP/identity if they are authenticated.
Monitoring & Alerts
To "keep an eye" on this automatically, you should set up Log-based Alerts:
-
For Creation: Create an alert based on the
CreateKeyfilter mentioned above. You can have GCP send an email or a Slack notification whenever a new key is generated in your project. -
For Billing/Usage: Since you mentioned billing concerns, the best place to monitor this is actually the APIs & Services > Dashboard. Select "Generative Language API" to see usage spikes. For granular cost tracking, use Billing Reports grouped by "Service" or "SKU."
Summary Strategy
-
To catch the "Who": Use Admin Activity logs (Method:
CreateKey). -
To catch the "How Much": Enable Data Access logs for the Generative Language API and monitor your Billing Dashboard.
-
Security Best Practice: If you want to prevent users from creating these keys entirely, you can use an Organization Policy to restrict the creation of API keys or use IAM roles to remove the
serviceusage.apiKeys.createpermission from non-admin users.
+9- Silver 2
Yes, you were right. I managed to find the create event in Logs Explorer:
logName="projects/redacted/logs/cloudaudit.googleapis.com%2Factivity"
protoPayload.methodName="google.api.apikeys.v2.ApiKeys.CreateKey"
protoPayload.serviceName="apikeys.googleapis.com"Thanks for pointing me in the right direction.
+20- Community Manager
Login to the community
Login with SSO
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.