Google API Keys Remain Active After Deletion

The revelation that Google Cloud Platform API keys can continue authenticating for up to 23 minutes after a user deletes them has sent ripples through the cloud‑security community. Aikido Security’s researcher Joe Leon measured a median revocation delay of 16 minutes across multiple regions, far exceeding the four‑second window observed in comparable AWS credential tests. This lag contradicts Google’s own console messaging, which assures users that a deleted key "can no longer be used," leaving administrators with a false sense of security and a window for attackers to exploit lingering permissions.

Technical analysis points to the complexity of Google’s distributed routing and caching layers. The study highlighted stark regional differences: VMs in asia‑southeast1 retained a 22% success rate after one minute, while those in us‑east1 and europe‑west1 hovered around 49%. Such variability suggests that request routing, regional cache invalidation, and server affinity play roles in how quickly revocation propagates. For security operations, this unpredictability erodes the mental model that credential deletion is instantaneous, complicating incident‑response playbooks that rely on rapid containment of leaked keys.

Practitioners are now advised to treat GCP API key deletions as a 30‑minute exposure period, continuously monitoring the "Enabled APIs and services" dashboard for anomalous activity post‑deletion. While Google reports sub‑minute revocation for newer Gemini API‑key formats and near‑instantaneous removal of service‑account credentials, the persistence of legacy keys underscores a broader industry challenge: balancing massive, globally distributed infrastructure with the need for swift credential invalidation. As cloud providers face mounting pressure to tighten revocation timelines, organizations must augment automated monitoring with procedural safeguards to mitigate the risk of lingering API keys.