Delete Cloud KMS resources

This document shows how to permanently delete Cloud Key Management Service keys and key versions. This operation is irreversible.

In Cloud KMS, destruction and deletion are different operations:

  • Destruction: Disables a key version permanently, including irreversibly destroying the underlying key material after the specified destruction period. A key version in the DESTROYED state can't be used for cryptographic operations and is no longer billed. You can destroy a key version that was used to encrypt data to crypto-shred data that you want to be permanently unrecoverable. Destroyed key versions are still included in lists of Cloud KMS resources.

  • Deletion: Removes a key or key version from lists of Cloud KMS resources in the Google Cloud console, Google Cloud CLI, Cloud Key Management Service API, and client libraries. For projects with many keys or key versions that are no longer active, deletion streamlines search and list operations. Deleted CryptoKey names can't be reused. You can view a list of deleted CryptoKey names that can't be reused using the retiredResources.list method.

Before you begin

To get the permissions that you need to delete and view Cloud KMS resources, ask your administrator to grant you the Cloud KMS administrator (roles/cloudkms.admin) IAM role on the key. For more information about granting roles, see Manage access to projects, folders, and organizations.

This predefined role contains the permissions required to delete and view Cloud KMS resources. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to delete and view Cloud KMS resources:

  • To delete a key version: cloudkms.cryptoKeyVersions.delete
  • To delete a key: cloudkms.cryptoKeys.delete
  • To view deleted resources:
    • cloudkms.retiredResources.get
    • cloudkms.retiredResources.list

You might also be able to get these permissions with custom roles or other predefined roles.

Delete a key version

You can delete a key version if it's in the DESTROYED, IMPORT_FAILED, or GENERATION_FAILED state. If the key version was imported, it can only be deleted if the import failed.

To permanently delete a key version, follow these steps:

gcloud

To delete a key version, run the following command:

gcloud kms keys versions delete KEY_VERSION \
    --location=LOCATION \
    --keyring=KEY_RING \
    --key=KEY_NAME

Replace the following:

  • KEY_VERSION: the number of the key version that you want to permanently delete. The indicated key version must be in the DESTROYED, IMPORT_FAILED, or GENERATION_FAILED state.
  • LOCATION: the Cloud KMS location of the key ring.
  • KEY_RING: the name of the key ring that contains the key.
  • KEY_NAME: the name of the key that contains the key version that you want to permanently delete.

REST

  1. To delete a key version, call the cryptoKeyVersions.delete method. This method returns a long-running operation that you can poll to confirm that the key version has been deleted.

    curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME/cryptoKeyVersions/KEY_VERSION" \
--request "DELETE" \
--header "authorization: Bearer TOKEN"

    Replace the following:

    • PROJECT_ID: the ID of the project that contains the key ring.
    • LOCATION: the Cloud KMS location of the key ring.
    • KEY_RING: the name of the key ring that contains the key.
    • KEY_NAME: the name of the key that contains the key version that you want to permanently delete.
    • KEY_VERSION: the number of the key version that you want to permanently delete. The indicated key version must be in the DESTROYED, IMPORT_FAILED, or GENERATION_FAILED state.

    The output of the command returns an Operation. You need the name of the operation for the next step.

  2. To confirm that the key version has been deleted, you can call the operations.get method:

    curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/operations/OPERATION_NAME" \
    --request "GET" \
    --header "authorization: Bearer TOKEN"

    Replace the following:

    • PROJECT_ID: the ID of the project that contains the key ring.
    • LOCATION: the Cloud KMS location of the key ring.
    • OPERATION_NAME: the name of the operation that was returned by the previous method.

    When the output of this method shows that done is true, the operation has finished. If no error is indicated, then the key version has been permanently deleted.

Delete a key

You can delete a key if it meets the following conditions:

  • The key contains no key versions that aren't yet deleted.
  • The key doesn't have automatic key rotation scheduled.
  • The key wasn't created by Cloud KMS Autokey.

To permanently delete a key, follow these steps:

gcloud

To delete a key, run the following command:

gcloud kms keys delete KEY_NAME \
    --location=LOCATION \
    --keyring=KEY_RING

Replace the following:

  • KEY_NAME: the name of the key that you want to permanently delete. The key must not contain any key versions that haven't already been deleted, and it must not be a key that was created by Autokey.
  • LOCATION: the Cloud KMS location of the key ring.
  • KEY_RING: the name of the key ring that contains the key.

REST

  1. To delete a key, call the cryptoKey.delete method. This method returns a long-running operation that you can poll to confirm that the key has been deleted.

    curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME" \
--request "DELETE" \
--header "authorization: Bearer TOKEN"

    Replace the following:

    • PROJECT_ID: the ID of the project that contains the key ring.
    • LOCATION: the Cloud KMS location of the key ring.
    • KEY_RING: the name of the key ring that contains the key.
    • KEY_NAME: the name of the key that you want to permanently delete. The key must not contain any key versions that haven't already been deleted, and it must not be a key that was created by Autokey.

    The output of the command returns an Operation. You need the name of the operation for the next step.

  2. To confirm that the key has been deleted, you can call the operations.get method:

    curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/operations/OPERATION_NAME" \
    --request "GET" \
    --header "authorization: Bearer TOKEN"

    Replace the following:

    • PROJECT_ID: the ID of the project that contains the key ring.
    • LOCATION: the Cloud KMS location of the key ring.
    • OPERATION_NAME: the name of the operation that was returned by the previous method.

    When the output of this method shows that done is true, the operation has finished. If no error is indicated, then the key has been permanently deleted.

View names of retired resources

The names of keys that have been deleted can't be reused in the same Google Cloud project. This prevents two different keys from having the same resource identifier. Names for deleted keys are stored in retiredResources objects. You can query retiredResources to view names that can't be reused for new Cloud KMS resources.

To view a list of all retired resources, follow these steps:

gcloud

Run the following command:

gcloud kms retired-resources list \
    --location=LOCATION

Replace the following:

  • LOCATION: the location where you want to view retired resources.

REST

Use the retiredResources.list method:

curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/retiredResources/" \
    --request "GET" \
    --header "authorization: Bearer TOKEN"

Replace the following:

  • PROJECT_ID: the identifier of the project where you want to view retired resources.
  • LOCATION: the location where you want to view retired resources.

To view metadata for an individual retired resource, follow these steps:

gcloud

Run the following command:

gcloud kms retired-resources describe RETIRED_RESOURCE \
    --location=LOCATION

Replace the following:

  • RETIRED_RESOURCE: the name of the resource that you want to view.
  • LOCATION: the location where you want to view a retired resource.

REST

Use the retiredResources.get method:

curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/retiredResources/RETIRED_RESOURCE" \
    --request "GET" \
    --header "authorization: Bearer TOKEN"

Replace the following:

  • PROJECT_ID: the identifier of the project where you want to view a retired resource.
  • LOCATION: the location where you want to view a retired resource.
  • RETIRED_RESOURCE: the name of the resource that you want to view.

The output of this method includes the resourceType, the deleteTime, and the full resource identifier of the deleted resource.

What's next