Deleted Google Cloud API keys keep authenticating up to 23 minutes (GCP IAM eventual consistency)

Aikido Security researcher Joe Leon published findings (2026-05-21, updated 2026-05-22) showing that deleted Google Cloud API keys continue to authenticate API requests for a median of ~16 minutes and up to ~23 minutes, measured across 10 controlled trials against Gemini, BigQuery and Maps APIs (Aikido, 2026-05-21). By contrast, Google service-account keys revoke in ~5 seconds and Gemini-specific keys in ~1 minute. The root cause is eventual consistency in GCP's IAM credential-propagation layer: deletions propagate gradually across distributed authorisation servers rather than atomically. Google first closed the report as "Won't Fix (working as intended)" before reopening it as a P0 after public disclosure (Aikido, 2026-05-21).

Why it matters to us: Key rotation/revocation is the reflexive first containment step in most cloud IR runbooks, and this breaks the assumption that it is immediate. An attacker holding a stolen key retains a usable window to exfiltrate BigQuery datasets, run Gemini inference, or query Maps billing after the defender believes the key is dead. For any CH/EU public-sector tenant on GCP, treat API-key deletion as a ~30-minute containment action: delete to start the clock, then monitor Cloud Audit Logs for post-deletion use of the key, and — for GDPR Art. 33 / Swiss DSG Art. 24 purposes — count the full post-deletion window as continued exposure when the key reached PII. Where viable, prefer service-account keys (near-instant revocation). Maps to ATT&CK T1550.001 (Application Access Token).