The Platform Administrator (PA) can delete Key Management System (KMS) keys in the Management API server.
The PA can delete the AEAD and Signing keys in the project namespace. See Supported keys for the full list of KMS keys.
Before you begin
Before deleting KMS keys, you must request the necessary permissions and prepare your environment.
Request IAM roles
Contact your Organization IAM Admin to request the following roles:
- KMS Admin (
kms-admin): create, update, delete, and use KMS keys in your project namespace. - Global MZAEADKey Deleter (
global-mzaeadkey-deleter): delete multi-zoneAEADkeys in your project namespace.
Prepare your environment
Download and install the gdcloud CLI, if you haven't already done so.
Generate the necessary kubeconfig files. You need the path to the relevant kubeconfig file to use with the
kubectlcommands.- To delete zonal keys, generate the kubeconfig file for the management API server.
- To delete multi-zone keys, generate the kubeconfig file for the global API server.
Delete all keys
You can delete zonal keys from the management API server or multi-zone keys from the global API server.
Delete all zonal keys
To delete all zonal keys in a project namespace, use the following command:
kubectl --kubeconfig MANAGEMENT_API_SERVER_KUBECONFIG \
delete KEY_PRIMITIVE --namespace=PROJECT --all
Replace the following:
- MANAGEMENT_API_SERVER_KUBECONFIG: the kubeconfig file of the management API server.
- KEY_PRIMITIVE: the key you want to delete. For
example:
aeadkeyfor theAEADkey. - PROJECT: the name of the project. For example:
kms-test1.
Delete all multi-zone keys
To delete all multi-zone keys in a project namespace, use the following command:
kubectl --kubeconfig GLOBAL_API_SERVER_KUBECONFIG \
delete mzaeadkey --namespace=PROJECT --all
Replace the following:
- GLOBAL_API_SERVER_KUBECONFIG: the kubeconfig file of the global API server.
- PROJECT: the name of the project. For example:
kms-test1.