Google API Keys Remain Active Up to 23 Minutes After Deletion, Exposing Cloud Services
What Happened — Researchers at Aikido Security found that Google Cloud API keys continue to authenticate for up to 23 minutes after a user deletes them. The delay is a by‑product of Google’s eventually‑consistent credential propagation and affects all key types, including those for Maps, BigQuery, and Gemini AI.
Why It Matters for TPRM —
- Stolen or leaked API keys can be abused during the revocation window to generate unauthorized charges or extract data.
- Third‑party applications that depend on Google APIs inherit this latency, expanding the attack surface of your supply chain.
- No built‑in verification mechanism means vendors cannot guarantee immediate key invalidation, complicating incident response and audit trails.
Who Is Affected — Cloud‑based SaaS providers, data‑analytics platforms, mapping services, AI‑driven applications, and any organization that integrates Google Cloud APIs.
Recommended Actions —
- Treat API‑key deletion as a 30‑minute operation; monitor usage continuously after revocation.
- Rotate keys proactively and implement usage‑based alerts in the GCP console.
- Where feasible, replace long‑lived API keys with short‑lived service‑account tokens or OAuth flows that support immediate revocation.
- Update third‑party risk questionnaires to capture this credential‑propagation latency.
Technical Notes — The issue originates from Google Cloud’s eventually consistent credential store; deletion propagates across regions over minutes. No CVE has been assigned. Affected data includes request payloads, uploaded files, and cached Gemini conversation data. Source: Help Net Security