---
title: GCP API Keys should be rotated every 90 days
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > GCP API Keys should be rotated every 90
  days
---

# GCP API Keys should be rotated every 90 days
 
## Description{% #description %}

This rule fails when a GCP API key has not been rotated for more than 90 days. API keys are long-lived shared secrets; rotating them on a fixed cadence limits the window during which a leaked or stolen key can be abused.

## Remediation{% #remediation %}

Replace the flagged key by creating a new key, updating clients to use the new value, and then deleting the old key. From the [API Keys page in the Google Cloud Console](https://console.cloud.google.com/apis/credentials) choose **Create credentials → API key**, copy the new key, swap it into application configs, then return to the same page and delete the original key. The same flow with `gcloud`:

```bash
gcloud services api-keys create --display-name="my-app-key"
gcloud services api-keys delete OLD_KEY_ID
```

Wherever possible, replace API key authentication with service accounts, workload identity federation, or OAuth — these support short-lived credentials and remove the need for manual rotation.

## References{% #references %}

- [CIS Google Cloud Platform Foundation Benchmark v4.0.0 — control 1.15](https://www.cisecurity.org/benchmark/google_cloud_computing_platform)
- [Best practices for using API keys](https://cloud.google.com/docs/authentication/api-keys#securing)