From Google Cloud Console

Go to 'APIs & Services\Credentials' using 'https://console.cloud.google.com/apis/credentials'
In the section 'API Keys', Click the 'API Key Name'. The API Key properties display on a new page.
Click 'REGENERATE KEY' to rotate API key.
Click 'Save'.
Repeat steps 2,3,4 for every API key that has not been rotated in the last 90 days.

Note: Do not set 'HTTP referrers' to wild-cards (* or *.[TLD] or .[TLD]/) allowing access to any/wide HTTP referrer(s)
Do not set 'IP addresses' and referrer to 'any host (0.0.0.0 or 0.0.0.0/0 or ::0)'

From Google Cloud CLI

There is not currently a way to regenerate and API key using gcloud commands. To 'regenerate' a key you will need to create a new one, duplicate the restrictions from the key being rotated, and delete the old key.

List existing keys.

gcloud services api-keys list

Note the 'UID' and restrictions of the key to regenerate.
Run this command to create a new API key. is the display name of the new key.
'
gcloud alpha services api-keys create --display-name=""
'
Note the 'UID' of the newly created key
Run the update command to add required restrictions.

Note - the restriction may vary for each key. Refer to this documentation for the appropriate flags.
https://cloud.google.com/sdk/gcloud/reference/alpha/services/api-keys/update

gcloud alpha services api-keys update

Delete the old key.

gcloud alpha services api-keys delete

ID	Name	CSP	Domain	Severity
AC_GCP_0367	Ensure API Keys Are Rotated Every 90 Days	GCP	Security Best Practices	MEDIUM
AC_GCP_0366	Ensure API Keys Are Restricted to Only APIs That Application Needs Access	GCP	Security Best Practices	MEDIUM
AC_GCP_0365	Ensure API Keys Only Exist for Active Services	GCP	Security Best Practices	MEDIUM

Detections

Analytics

Tenable Cloud Security Policies Search

MEDIUM

MEDIUM

MEDIUM