删除 Cloud KMS 资源

本文档介绍如何永久删除 Cloud Key Management Service 密钥和密钥版本。此操作不可撤销。

在 Cloud KMS 中，销毁和删除是不同的操作：

销毁：永久停用密钥版本，包括在指定销毁期限过后不可逆地销毁底层密钥材料。处于 DESTROYED 状态的密钥版本无法用于加密操作，并且不再产生费用。您可以销毁用于加密数据的密钥版本，以销毁您希望永久无法恢复的数据。销毁的密钥版本仍包含在 Cloud KMS 资源列表中。
删除：从 Google Cloud 控制台、Google Cloud CLI、Cloud Key Management Service API 和客户端库的 Cloud KMS 资源列表中移除密钥或密钥版本。对于具有许多密钥或不再有效的密钥版本的项目，删除操作可简化搜索和列表操作。已删除的 CryptoKey 名称无法重复使用。您可以使用 retiredResources.list 方法查看无法重复使用的已删除 CryptoKey 名称的列表。

准备工作

如需获得删除和查看 Cloud KMS 资源所需的权限，请让您的管理员为您授予密钥的 Cloud KMS 管理员 (roles/cloudkms.admin) IAM 角色。如需详细了解如何授予角色，请参阅管理对项目、文件夹和组织的访问权限。

此预定义角色包含删除和查看 Cloud KMS 资源所需的权限。如需查看所需的确切权限，请展开所需权限部分：

所需权限

如需删除和查看 Cloud KMS 资源，您需要具备以下权限：

如需删除密钥版本，请执行以下操作： cloudkms.cryptoKeyVersions.delete
如需删除密钥，请执行以下操作： cloudkms.cryptoKeys.delete
如需查看已删除的资源，请执行以下操作：
- cloudkms.retiredResources.get
- cloudkms.retiredResources.list

您也可以使用自定义角色或其他预定义角色来获取这些权限。

删除密钥版本

如果密钥版本处于 DESTROYED、IMPORT_FAILED 或 GENERATION_FAILED 状态，您可以将其删除。如果密钥版本是导入的，则只有在导入失败时才能删除。

如需永久删除密钥版本，请按以下步骤操作：

控制台

在 Google Cloud 控制台中，前往密钥管理页面。

前往 Key Management
点击密钥环的名称，该密钥环包含您要删除的密钥和密钥版本。
点击包含要删除的密钥版本的密钥。
在版本表中，找到您要删除的密钥版本，然后点击 更多操作。
在更多操作菜单中，点击删除。
在确认提示中输入密钥名称，然后点击删除。

gcloud

如需删除密钥版本，请运行以下命令：

gcloud kms keys versions delete KEY_VERSION \
    --location=LOCATION \
    --keyring=KEY_RING \
    --key=KEY_NAME

替换以下内容：

KEY_VERSION：您要永久删除的密钥版本的编号。指定的密钥版本必须处于 DESTROYED、IMPORT_FAILED 或 GENERATION_FAILED 状态。
LOCATION：密钥环的 Cloud KMS 位置。
KEY_RING：包含密钥的密钥环的名称。
KEY_NAME：包含您要永久删除的密钥版本的密钥的名称。

Go

如需了解如何安装和使用 Cloud KMS 客户端库，请参阅 Cloud KMS 客户端库。

如需向 Cloud KMS 进行身份验证，请设置应用默认凭据。如需了解详情，请参阅为本地开发环境设置身份验证。

import (
	"context"
	"fmt"
	"io"

	kms "cloud.google.com/go/kms/apiv1"
	"cloud.google.com/go/kms/apiv1/kmspb"
)

// deleteCryptoKeyVersion deletes a crypto key version. This action is permanent and cannot be undone. Once the key version is deleted, it will no longer exist.
func deleteCryptoKeyVersion(w io.Writer, name string) error {
	// name := "projects/my-project/locations/us-east1/keyRings/my-key-ring/cryptoKeys/my-key/cryptoKeyVersions/1"

	// Create the client.
	ctx := context.Background()
	client, err := kms.NewKeyManagementClient(ctx)
	if err != nil {
		return fmt.Errorf("failed to create kms client: %w", err)
	}
	defer client.Close()

	// Build the request.
	req := &kmspb.DeleteCryptoKeyVersionRequest{
		Name: name,
	}

	// Call the API.
	// Warning: This operation is permanent and cannot be undone.
	op, err := client.DeleteCryptoKeyVersion(ctx, req)
	if err != nil {
		return fmt.Errorf("failed to delete crypto key version: %w", err)
	}

	// Wait for the operation to complete.
	if err := op.Wait(ctx); err != nil {
		return fmt.Errorf("failed to wait for delete crypto key version operation: %w", err)
	}

	fmt.Fprintf(w, "Deleted crypto key version: %s\n", req.Name)
	return nil
}

Java

如需了解如何安装和使用 Cloud KMS 客户端库，请参阅 Cloud KMS 客户端库。

如需向 Cloud KMS 进行身份验证，请设置应用默认凭据。如需了解详情，请参阅为本地开发环境设置身份验证。

import com.google.cloud.kms.v1.CryptoKeyVersionName;
import com.google.cloud.kms.v1.KeyManagementServiceClient;
import java.io.IOException;

public class DeleteKeyVersion {

  public void deleteKeyVersion() throws IOException {
    // TODO(developer): Replace these variables before running the sample.
    String projectId = "your-project-id";
    String locationId = "us-east1";
    String keyRingId = "my-key-ring";
    String keyId = "my-key";
    String keyVersionId = "123";
    deleteKeyVersion(projectId, locationId, keyRingId, keyId, keyVersionId);
  }

  // deleteKeyVersion deletes a key version. This action is permanent and cannot be undone. Once the
  // key version is deleted, it will no longer exist.
  public void deleteKeyVersion(
      String projectId, String locationId, String keyRingId, String keyId, String keyVersionId)
      throws IOException {
    // Initialize client that will be used to send requests. This client only
    // needs to be created once, and can be reused for multiple requests. After
    // completing all of your requests, call the "close" method on the client to
    // safely clean up any remaining background resources.
    try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
      // Build the key version name from the project, location, key ring, key,
      // and key version.
      CryptoKeyVersionName keyVersionName =
          CryptoKeyVersionName.of(projectId, locationId, keyRingId, keyId, keyVersionId);

      // Delete the key version.
      // Warning: This operation is permanent and cannot be undone.
      // Wait for the operation to complete.
      client.deleteCryptoKeyVersionAsync(keyVersionName).get();
      System.out.printf("Deleted key version: %s%n", keyVersionName.toString());
    } catch (Exception e) {
      System.err.printf("Failed to delete key version: %s%n", e.getMessage());
    }
  }
}

Python

如需了解如何安装和使用 Cloud KMS 客户端库，请参阅 Cloud KMS 客户端库。

如需向 Cloud KMS 进行身份验证，请设置应用默认凭据。如需了解详情，请参阅为本地开发环境设置身份验证。

from google.cloud import kms


def delete_key_version(
    project_id: str, location_id: str, key_ring_id: str, key_id: str, version_id: str
) -> None:
    """
    Delete the given key version. This action is permanent and cannot be undone.
    Once the key version is deleted, it will no longer exist.

    Args:
        project_id (str): Google Cloud project ID (e.g. 'my-project').
        location_id (str): Cloud KMS location (e.g. 'us-east1').
        key_ring_id (str): ID of the Cloud KMS key ring (e.g. 'my-key-ring').
        key_id (str): ID of the key to use (e.g. 'my-key').
        version_id (str): ID of the key version to delete (e.g. '1').

    Returns:
        None

    """

    # Create the client.
    client = kms.KeyManagementServiceClient()

    # Build the key version name.
    key_version_name = client.crypto_key_version_path(
        project_id, location_id, key_ring_id, key_id, version_id
    )

    # Call the API.
    # Note: delete_crypto_key_version returns a long-running operation.
    # Warning: This operation is permanent and cannot be undone.
    operation = client.delete_crypto_key_version(request={"name": key_version_name})

    # Wait for the operation to complete.
    operation.result()

    print(f"Deleted key version: {key_version_name}")

API

如需删除密钥版本，请调用 cryptoKeyVersions.delete 方法。此方法会返回一个长时间运行的操作，您可以轮询该操作以确认密钥版本是否已删除。
```
curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME/cryptoKeyVersions/KEY_VERSION" \
--request "DELETE" \
--header "authorization: Bearer TOKEN"
```
替换以下内容：
- PROJECT_ID：包含密钥环的项目的 ID。
- LOCATION：密钥环的 Cloud KMS 位置。
- KEY_RING：包含密钥的密钥环的名称。
- KEY_NAME：包含您要永久删除的密钥版本的密钥的名称。
- KEY_VERSION：您要永久删除的密钥版本的编号。指定的密钥版本必须处于 DESTROYED、IMPORT_FAILED 或 GENERATION_FAILED 状态。
该命令的输出会返回 Operation。您需要在下一步中使用相应操作的 name。
如需确认密钥版本已删除，您可以调用 operations.get 方法：
```
curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/operations/OPERATION_NAME" \
    --request "GET" \
    --header "authorization: Bearer TOKEN"
```
替换以下内容：
- PROJECT_ID：包含密钥环的项目的 ID。
- LOCATION：密钥环的 Cloud KMS 位置。
- OPERATION_NAME：上一个方法返回的操作的名称。
当此方法的输出显示 done 为 true 时，表示操作已完成。如果未指明 error，则表示相应密钥版本已被永久删除。

删除密钥

如果密钥符合以下条件，您可以将其删除：

相应密钥不包含尚未删除的密钥版本。
密钥未安排自动密钥轮替。
密钥不是由 Cloud KMS Autokey 创建的。

如需永久删除密钥，请按以下步骤操作：

控制台

在 Google Cloud 控制台中，前往密钥管理页面。

前往 Key Management
点击包含要删除的密钥的密钥环的名称。
在以下任一位置删除密钥：
- 密钥列表页面：在“KEY_RING”密钥环的密钥表格中，找到要删除的密钥，点击 密钥操作，然后点击删除。
- 密钥详情页面：点击要删除的密钥的名称，打开其密钥详情页面。点击页面顶部的删除。
在确认提示中输入密钥名称，然后点击删除。

gcloud

如需删除密钥，请运行以下命令：

gcloud kms keys delete KEY_NAME \
    --location=LOCATION \
    --keyring=KEY_RING

替换以下内容：

KEY_NAME：您要永久删除的密钥的名称。密钥不得包含任何尚未删除的密钥版本，并且不得是由 Autokey 创建的密钥。
LOCATION：密钥环的 Cloud KMS 位置。
KEY_RING：包含密钥的密钥环的名称。

Go

如需了解如何安装和使用 Cloud KMS 客户端库，请参阅 Cloud KMS 客户端库。

如需向 Cloud KMS 进行身份验证，请设置应用默认凭据。如需了解详情，请参阅为本地开发环境设置身份验证。

import (
	"context"
	"fmt"
	"io"

	kms "cloud.google.com/go/kms/apiv1"
	"cloud.google.com/go/kms/apiv1/kmspb"
)

// deleteCryptoKey deletes a crypto key. This action is permanent and cannot be undone. Once the key is deleted, it will no longer exist.
func deleteCryptoKey(w io.Writer, name string) error {
	// name := "projects/my-project/locations/us-east1/keyRings/my-key-ring/cryptoKeys/my-key"

	// Create the client.
	ctx := context.Background()
	client, err := kms.NewKeyManagementClient(ctx)
	if err != nil {
		return fmt.Errorf("failed to create kms client: %w", err)
	}
	defer client.Close()

	// Build the request.
	req := &kmspb.DeleteCryptoKeyRequest{
		Name: name,
	}

	// Call the API.
	// Warning: This operation is permanent and cannot be undone.
	op, err := client.DeleteCryptoKey(ctx, req)
	if err != nil {
		return fmt.Errorf("failed to delete crypto key: %w", err)
	}

	// Wait for the operation to complete.
	if err := op.Wait(ctx); err != nil {
		return fmt.Errorf("failed to wait for delete crypto key operation: %w", err)
	}

	fmt.Fprintf(w, "Deleted crypto key: %s\n", req.Name)
	return nil
}

Java

如需了解如何安装和使用 Cloud KMS 客户端库，请参阅 Cloud KMS 客户端库。

如需向 Cloud KMS 进行身份验证，请设置应用默认凭据。如需了解详情，请参阅为本地开发环境设置身份验证。

import com.google.cloud.kms.v1.CryptoKeyName;
import com.google.cloud.kms.v1.DeleteCryptoKeyMetadata;
import com.google.cloud.kms.v1.KeyManagementServiceClient;
import java.io.IOException;
import java.util.concurrent.ExecutionException;

public class DeleteKey {

  public void deleteKey() throws IOException {
    // TODO(developer): Replace these variables before running the sample.
    String projectId = "your-project-id";
    String locationId = "us-east1";
    String keyRingId = "my-key-ring";
    String keyId = "my-key";
    deleteKey(projectId, locationId, keyRingId, keyId);
  }

  // deleteKey deletes a crypto key. This action is permanent and cannot be undone. Once the key
  // is deleted, it will no longer exist.
  public void deleteKey(String projectId, String locationId, String keyRingId, String keyId)
      throws IOException {
    // Initialize client that will be used to send requests. This client only
    // needs to be created once, and can be reused for multiple requests. After
    // completing all of your requests, call the "close" method on the client to
    // safely clean up any remaining background resources.
    try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
      // Build the key name from the project, location, key ring, and key.
      CryptoKeyName keyName = CryptoKeyName.of(projectId, locationId, keyRingId, keyId);

      // Delete the key.
      // Warning: This operation is permanent and cannot be undone.
      // Wait for the operation to complete.
      client.deleteCryptoKeyAsync(keyName).get();
      System.out.printf("Deleted key: %s%n", keyName.toString());
    } catch (Exception e) {
      System.err.printf("Failed to delete key: %s%n", e.getMessage());
    }
  }
}

Python

如需了解如何安装和使用 Cloud KMS 客户端库，请参阅 Cloud KMS 客户端库。

如需向 Cloud KMS 进行身份验证，请设置应用默认凭据。如需了解详情，请参阅为本地开发环境设置身份验证。

from google.cloud import kms


def delete_key(
    project_id: str, location_id: str, key_ring_id: str, key_id: str
) -> None:
    """
    Delete the given key. This action is permanent and cannot be undone. Once the
    key is deleted, it will no longer exist.

    Args:
        project_id (str): Google Cloud project ID (e.g. 'my-project').
        location_id (str): Cloud KMS location (e.g. 'us-east1').
        key_ring_id (str): ID of the Cloud KMS key ring (e.g. 'my-key-ring').
        key_id (str): ID of the key to use (e.g. 'my-key').

    Returns:
        None

    """

    # Create the client.
    client = kms.KeyManagementServiceClient()

    # Build the key name.
    key_name = client.crypto_key_path(project_id, location_id, key_ring_id, key_id)

    # Call the API.
    # Note: delete_crypto_key returns a long-running operation.
    # Warning: This operation is permanent and cannot be undone.
    operation = client.delete_crypto_key(request={"name": key_name})

    # Wait for the operation to complete.
    operation.result()

    print(f"Deleted key: {key_name}")

API

如需删除密钥，请调用 cryptoKey.delete 方法。此方法会返回一个长时间运行的操作，您可以轮询该操作以确认密钥是否已删除。
```
curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME" \
--request "DELETE" \
--header "authorization: Bearer TOKEN"
```
替换以下内容：
- PROJECT_ID：包含密钥环的项目的 ID。
- LOCATION：密钥环的 Cloud KMS 位置。
- KEY_RING：包含密钥的密钥环的名称。
- KEY_NAME：您要永久删除的密钥的名称。密钥不得包含任何尚未删除的密钥版本，并且不得是由 Autokey 创建的密钥。
该命令的输出会返回 Operation。您需要在下一步中使用相应操作的 name。
如需确认密钥是否已删除，您可以调用 operations.get 方法：
```
curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/operations/OPERATION_NAME" \
    --request "GET" \
    --header "authorization: Bearer TOKEN"
```
替换以下内容：
- PROJECT_ID：包含密钥环的项目的 ID。
- LOCATION：密钥环的 Cloud KMS 位置。
- OPERATION_NAME：上一个方法返回的操作的名称。
当此方法的输出显示 done 为 true 时，操作已完成。如果未指明 error，则表示相应密钥已被永久删除。

查看已弃用资源的名称

已删除的键的名称无法在同一Google Cloud 项目中重复使用。这样可以防止两个不同的键具有相同的资源标识符。已删除密钥的名称存储在 retiredResources 对象中。您可以查询 retiredResources 以查看无法重复用于新 Cloud KMS 资源的名称。

如需查看所有已弃用的资源的列表，请按照以下步骤操作：

gcloud

运行以下命令：

gcloud kms retired-resources list \
    --location=LOCATION

替换以下内容：

LOCATION：您要查看已弃用资源的位置。

Go

如需了解如何安装和使用 Cloud KMS 客户端库，请参阅 Cloud KMS 客户端库。

如需向 Cloud KMS 进行身份验证，请设置应用默认凭据。如需了解详情，请参阅为本地开发环境设置身份验证。

import (
	"context"
	"fmt"
	"io"

	kms "cloud.google.com/go/kms/apiv1"
	kmspb "cloud.google.com/go/kms/apiv1/kmspb"
	"google.golang.org/api/iterator"
)

// listRetiredResources lists retired resources.
func listRetiredResources(w io.Writer, parent string) error {
	// parent := "projects/my-project/locations/us-east1"

	ctx := context.Background()
	client, err := kms.NewKeyManagementClient(ctx)
	if err != nil {
		return fmt.Errorf("failed to create kms client: %w", err)
	}
	defer client.Close()

	// Build the request.
	req := &kmspb.ListRetiredResourcesRequest{
		Parent: parent,
	}

	// Call the API.
	it := client.ListRetiredResources(ctx, req)

	// Iterate over the results.
	for {
		resp, err := it.Next()
		if err == iterator.Done {
			break
		}
		if err != nil {
			return fmt.Errorf("failed to list retired resources: %w", err)
		}

		fmt.Fprintf(w, "Retired resource: %s\n", resp.Name)
	}
	return nil
}

Java

如需了解如何安装和使用 Cloud KMS 客户端库，请参阅 Cloud KMS 客户端库。

如需向 Cloud KMS 进行身份验证，请设置应用默认凭据。如需了解详情，请参阅为本地开发环境设置身份验证。

import com.google.cloud.kms.v1.KeyManagementServiceClient;
import com.google.cloud.kms.v1.LocationName;
import com.google.cloud.kms.v1.RetiredResource;
import java.io.IOException;

public class ListRetiredResources {

  public void listRetiredResources() throws IOException {
    // TODO(developer): Replace these variables before running the sample.
    String projectId = "your-project-id";
    String locationId = "us-east1";
    listRetiredResources(projectId, locationId);
  }

  // List retired resources in a specific project and location.
  public void listRetiredResources(String projectId, String locationId)
      throws IOException {
    // Initialize client that will be used to send requests. This client only
    // needs to be created once, and can be reused for multiple requests. After
    // completing all of your requests, call the "close" method on the client to
    // safely clean up any remaining background resources.
    try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
      // Build the location name from the project and location.
      LocationName locationName = LocationName.of(projectId, locationId);

      // List the retired resources.
      for (RetiredResource resource : client.listRetiredResources(locationName).iterateAll()) {
        System.out.printf("Retired resource: %s%n", resource.getName());
      }
    }
  }
}

Python

如需了解如何安装和使用 Cloud KMS 客户端库，请参阅 Cloud KMS 客户端库。

如需向 Cloud KMS 进行身份验证，请设置应用默认凭据。如需了解详情，请参阅为本地开发环境设置身份验证。

from typing import List

from google.cloud import kms


def list_retired_resources(project_id: str, location_id: str) -> List[kms.RetiredResource]:
    """
    List the retired resources in a location.

    Args:
        project_id (str): Google Cloud project ID (e.g. 'my-project').
        location_id (str): Cloud KMS location (e.g. 'us-east1').

    Returns:
        list[kms.RetiredResource]: The list of retired resources.
    """

    # Create the client.
    client = kms.KeyManagementServiceClient()

    # Build the parent location name.
    parent = client.common_location_path(project_id, location_id)

    # Call the API.
    # The API paginates, but the Python client library handles that for us.
    resources_list = list(client.list_retired_resources(request={"parent": parent}))

    # Iterate over the resources and print them.
    for resource in resources_list:
        print(f"Retired resource: {resource.name}")

    return resources_list

API

使用 retiredResources.list 方法：

curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/retiredResources/" \
    --request "GET" \
    --header "authorization: Bearer TOKEN"

替换以下内容：

PROJECT_ID：您要查看已弃用资源的项目的标识符。
LOCATION：您要查看已弃用资源的位置。

如需查看单个已退役资源的元数据，请按照以下步骤操作：

gcloud

运行以下命令：

gcloud kms retired-resources describe RETIRED_RESOURCE \
    --location=LOCATION

替换以下内容：

RETIRED_RESOURCE：您要查看的资源的名称。
LOCATION：您要查看已弃用的资源所在的位置。

Go

如需了解如何安装和使用 Cloud KMS 客户端库，请参阅 Cloud KMS 客户端库。

如需向 Cloud KMS 进行身份验证，请设置应用默认凭据。如需了解详情，请参阅为本地开发环境设置身份验证。

import (
	"context"
	"fmt"
	"io"

	kms "cloud.google.com/go/kms/apiv1"
	kmspb "cloud.google.com/go/kms/apiv1/kmspb"
)

// getRetiredResource gets a retired resource.
func getRetiredResource(w io.Writer, name string) error {
	// name := "projects/my-project/locations/us-east1/retiredResources/my-retired-resource"

	ctx := context.Background()
	client, err := kms.NewKeyManagementClient(ctx)
	if err != nil {
		return fmt.Errorf("failed to create kms client: %w", err)
	}
	defer client.Close()

	// Build the request.
	req := &kmspb.GetRetiredResourceRequest{
		Name: name,
	}

	// Call the API.
	result, err := client.GetRetiredResource(ctx, req)
	if err != nil {
		return fmt.Errorf("failed to get retired resource: %w", err)
	}

	fmt.Fprintf(w, "Got retired resource: %s\n", result.Name)
	return nil
}

Java

如需了解如何安装和使用 Cloud KMS 客户端库，请参阅 Cloud KMS 客户端库。

如需向 Cloud KMS 进行身份验证，请设置应用默认凭据。如需了解详情，请参阅为本地开发环境设置身份验证。

import com.google.cloud.kms.v1.KeyManagementServiceClient;
import com.google.cloud.kms.v1.RetiredResource;
import com.google.cloud.kms.v1.RetiredResourceName;
import java.io.IOException;

public class GetRetiredResource {

  public void getRetiredResource() throws IOException {
    // TODO(developer): Replace these variables before running the sample.
    String projectId = "your-project-id";
    String locationId = "us-east1";
    String retiredResourceId = "my-retired-resource-id";
    getRetiredResource(projectId, locationId, retiredResourceId);
  }

  // Get the retired resource.
  public void getRetiredResource(
      String projectId, String locationId, String retiredResourceId)
      throws IOException {
    // Initialize client that will be used to send requests. This client only
    // needs to be created once, and can be reused for multiple requests. After
    // completing all of your requests, call the "close" method on the client to
    // safely clean up any remaining background resources.
    try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
      // Build the retired resource name from the project, location, and retired resource id.
      RetiredResourceName name = RetiredResourceName.of(projectId, locationId, retiredResourceId);

      // Get the retired resource.
      RetiredResource response = client.getRetiredResource(name);
      System.out.printf("Retired resource: %s%n", response.getName());
    }
  }
}

Python

如需了解如何安装和使用 Cloud KMS 客户端库，请参阅 Cloud KMS 客户端库。

如需向 Cloud KMS 进行身份验证，请设置应用默认凭据。如需了解详情，请参阅为本地开发环境设置身份验证。

from google.cloud import kms


def get_retired_resource(
    project_id: str, location_id: str, retired_resource_id: str
) -> kms.RetiredResource:
    """
    Get the details of a retired resource.

    Args:
        project_id (str): Google Cloud project ID (e.g. 'my-project').
        location_id (str): Cloud KMS location (e.g. 'us-east1').
        resource_id (str): ID of the retired resource to get.

    Returns:
        kms.RetiredResource: The requested retired resource.

    """

    # Create the client.
    client = kms.KeyManagementServiceClient()

    # Build the retired resource name.
    # Note: Retired resources are tied to a Location, not a KeyRing.
    # The name is like projects/{project}/locations/{location}/retiredResources/{id}
    name = client.retired_resource_path(project_id, location_id, retired_resource_id)

    # Call the API.
    response = client.get_retired_resource(request={"name": name})

    print(f"Got retired resource: {response.name}")
    return response

API

使用 retiredResources.get 方法：

curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/retiredResources/RETIRED_RESOURCE" \
    --request "GET" \
    --header "authorization: Bearer TOKEN"

替换以下内容：

PROJECT_ID：您要查看已停用的资源的项目的标识符。
LOCATION：您要查看已弃用的资源所在的位置。
RETIRED_RESOURCE：您要查看的资源的名称。

该方法的输出包括 resourceType、deleteTime 和已删除资源的完整资源标识符。

后续步骤

详细了解如何销毁和恢复密钥版本。

删除 Cloud KMS 资源 使用集合让一切井井有条 根据您的偏好保存内容并对其进行分类。

准备工作

所需权限

删除密钥版本

控制台

gcloud

Go

Java

Python

API

删除密钥

控制台

gcloud

Go

Java

Python

API

查看已弃用资源的名称

gcloud

Go

Java

Python

API

gcloud

Go

Java

Python

API

后续步骤

删除 Cloud KMS 资源