Recent findings reveal a vulnerability in Google Cloud’s API key management, where deleted keys may remain operable for up to 23 minutes. This delay poses potential security risks to projects relying on critical services such as Gemini, BigQuery, and Google Maps.
Research conducted by Aikido highlights a significant concern: the lag in credential invalidation across Google’s infrastructure. When a Google API key is deleted, the revocation does not occur instantaneously. Instead, the invalidation process gradually spreads across distributed systems, leading to a ‘revocation window’ during which unauthorized access remains possible.
Delayed Revocation Across Services
The most extended revocation window observed was approximately 23 minutes, with the shortest being around 8 minutes and a median duration of 16 minutes. During this window, attackers with compromised keys can continue to use API services, as some backend systems may still validate the deleted keys.
Particularly alarming is the impact on high-value services. For instance, if a leaked key offers access to the Gemini API, it could allow attackers to retrieve files, access cached data, and interact with AI endpoints. This problem is not isolated to one service but affects others like BigQuery and Maps APIs, suggesting a systemic issue within the API key infrastructure.
Experimental Findings and Impact
In controlled experiments, researchers repeatedly created and deleted API keys, sending several authenticated requests post-deletion. They found that the success rate of these requests varied unpredictably. Some trials saw up to 79% success shortly after key deletion, while others dropped to 5%, indicating inconsistent enforcement.
Tests across various Google Cloud regions further illustrated this inconsistency, with median success rates of around 49% in us-east1 and europe-west1, and about 22% in asia-southeast1. Surprisingly, some distant regions invalidated keys faster than those closer, hinting at infrastructural factors affecting revocation timing.
Security Concerns and Recommendations
This delay in key revocation presents significant security challenges. The immediate disappearance of deleted keys from the Google Cloud Console interface, yet ongoing successful requests, complicates incident response. Failed requests are aggregated under ‘apikey:UNKNOWN,’ making it hard for security teams to track specific deleted key activity.
Different types of Google credentials exhibit varied revocation times. Service account keys revoke in roughly 5 seconds, new Gemini API keys in about 1 minute, while legacy keys can take up to 23 minutes. This variance indicates that faster revocation is possible but not uniformly applied.
Google has labeled this issue as ‘won’t fix,’ citing it as expected behavior in eventually consistent systems rather than a security flaw. Nonetheless, this delay contradicts typical security expectations and poses several risks, such as prolonged access after key compromise and difficulty enforcing just-in-time credential strategies.
To mitigate these risks, organizations are advised to treat API key deletion as a 30-minute process, closely monitor API usage post-deletion, and proactively rotate keys. Preference should be given to service account keys or newer credential types to minimize exposure.
This situation underscores a broader challenge in cloud security: balancing scalability with stringent authentication assurances. The current model of Google API keys leaves a critical window that attackers could exploit, necessitating heightened vigilance from security teams.
