← All articles

Aikido shows Google API keys keep working up to 23 minutes after deletion; Google closes report as 'won't fix'

Aikido Security's Joe Leon has documented that standard Google Cloud API keys keep working for up to 23 minutes after they are deleted from the GCP console, with a median revocation window of 16 minutes. Over 10 trials across two days, the team kept sending authenticated requests at 3-5 per second; one trial saw 79% of requests succeed one minute after deletion. During this window, an attacker holding a leaked key retains full access to any enabled API on the project, including Gemini file dumps, BigQuery, and Maps. Google closed the bug report as 'won't fix.' Service-account deletions propagate in around 5 seconds; only standard API keys are slow.

Check
Review your GCP secret-rotation runbooks. Identify any service that uses standard API keys versus service accounts. Audit GCP audit logs for authenticated calls following a recent key deletion.
Affected
Any organization that uses standard Google Cloud API keys and assumes deletion provides immediate revocation. Service accounts (5-second propagation) and Gemini's newer API key format (~1 minute) not affected.
Fix
Migrate from standard API keys to service accounts where possible. Treat a deleted Google API key as live for 30 minutes during leak response. Combine deletion with key rotation.