Wipe out KMS keys

The Platform Administrator (PA) can delete Key Management System (KMS) keys in the Management API server.

The PA can delete the AEAD and Signing keys in the project namespace. See Supported keys for the full list of KMS keys.

Before you begin

Before deleting KMS keys, you must request the necessary permissions and prepare your environment.

Request IAM roles

To create, update, delete, and use KMS keys in your project namespace, contact your Organization IAM Admin to request the KMS Admin (kms-admin) role.

Prepare your environment

• Download and install the gdcloud CLI, if you haven't already done so.

• Install the kubectl CLI, as described in Install components.

• Generate a kubeconfig file for the management API server in your targeted zone. You need the path to the kubeconfig file to use with the kubectl command.

Delete all keys

To delete all keys in a project namespace, use the following command:

  kubectl --kubeconfig MANAGEMENT_API_SERVER \
    delete KEY_PRIMITIVE --namespace=PROJECT --all

Replace the following variables:

• MANAGEMENT_API_SERVER: the kubeconfig file of the Management API server.
• KEY_PRIMITIVE: the keys you want to delete. For example: aeadkey for the AEAD key.
• PROJECT with the name of the project. For example: kms-test1.