Deleted Google API Keys Remain Active up to 23 Minutes, Study Finds

Aikido Security’s recent study shines a light on a subtle yet critical flaw in Google Cloud’s credential lifecycle. By deleting an API key, administrators see an immediate status change in the console, but the underlying authentication infrastructure—distributed across global data centers—updates more slowly. This eventual consistency creates a revocation window that can stretch to 23 minutes, far longer than the sub‑second delays seen in comparable AWS key revocations. The research underscores how distributed system design choices can unintentionally expose assets to persistent threat actors.

For security teams, the findings complicate detection and containment strategies. During the lag, compromised keys can still query services such as Gemini, BigQuery, and Maps, potentially leaking sensitive data. Moreover, Google’s logging aggregates post‑deletion attempts under a generic "apikey:UNKNOWN" label, obscuring which credential is being abused and hampering forensic timelines. Regional disparities add another layer of uncertainty; requests routed through US‑East1 or Europe‑West1 retain nearly half their success rate in the first minute, while Asia‑Southeast1 drops to 22%. These nuances demand more granular monitoring and a reevaluation of key‑rotation policies.

Practitioners should treat API‑key deletions as a 30‑minute operation, continuously auditing authentication logs for anomalous activity throughout that period. Automating rapid key rotation, employing short‑lived tokens, and leveraging Google’s faster‑revoking service‑account keys can mitigate exposure. The broader industry implication is clear: cloud providers must balance scalability with timely credential propagation, and customers need to factor eventual consistency into their risk models. As cloud ecosystems evolve, transparent communication about such systemic behaviors will be essential for maintaining trust and security.