刪除 Cloud KMS 資源

本文說明如何永久刪除 Cloud Key Management Service 金鑰和金鑰版本。這項操作無法復原。

在 Cloud KMS 中，銷毀和刪除是不同的作業：

刪除：永久停用金鑰版本，包括在指定刪除期限後，不可逆地刪除基礎金鑰內容。處於 DESTROYED 狀態的金鑰版本無法用於加密編譯作業，且不會再產生費用。您可以銷毀用於加密資料的金鑰版本，藉此加密銷毀您想永久無法復原的資料。已刪除的金鑰版本仍會列在 Cloud KMS 資源清單中。
刪除：從 Google Cloud 控制台、Google Cloud CLI、Cloud Key Management Service API 和用戶端程式庫的 Cloud KMS 資源清單中移除金鑰或金鑰版本。如果專案中有許多不再使用的金鑰或金鑰版本，刪除這些項目可簡化搜尋和列出作業。刪除的 CryptoKey 名稱無法重複使用。您可以使用 retiredResources.list 方法，查看無法重複使用的已刪除 CryptoKey 名稱清單。

事前準備

如要取得刪除及查看 Cloud KMS 資源所需的權限，請要求管理員授予金鑰的Cloud KMS 管理員 (roles/cloudkms.admin) IAM 角色。如要進一步瞭解如何授予角色，請參閱「管理專案、資料夾和組織的存取權」。

這個預先定義的角色具備刪除及查看 Cloud KMS 資源所需的權限。如要查看確切的必要權限，請展開「Required permissions」(必要權限) 部分：

所需權限

如要刪除及查看 Cloud KMS 資源，必須具備下列權限：

如要刪除金鑰版本： cloudkms.cryptoKeyVersions.delete
如要刪除車鑰： cloudkms.cryptoKeys.delete
如要查看已刪除的資源：
- cloudkms.retiredResources.get
- cloudkms.retiredResources.list

您或許還可透過自訂角色或其他預先定義的角色取得這些權限。

刪除金鑰版本

如果金鑰版本處於 DESTROYED、IMPORT_FAILED 或 GENERATION_FAILED 狀態，即可刪除。如果金鑰版本是匯入的，只有在匯入失敗時才能刪除。

如要永久刪除金鑰版本，請按照下列步驟操作：

控制台

前往 Google Cloud 控制台的「Key Management」頁面。

前往「金鑰管理」
按一下金鑰環名稱，該金鑰環包含您要刪除的金鑰和金鑰版本。
按一下包含要刪除金鑰版本的金鑰。
在「Versions」(版本) 表格中，找到要刪除的金鑰版本，然後按一下「More actions」(更多動作)。
在「更多動作」選單中，按一下「刪除」。
在確認提示中輸入金鑰名稱，然後按一下「刪除」。

gcloud

如要刪除金鑰版本，請執行下列指令：

gcloud kms keys versions delete KEY_VERSION \
    --location=LOCATION \
    --keyring=KEY_RING \
    --key=KEY_NAME

更改下列內容：

KEY_VERSION：要永久刪除的金鑰版本編號。指定的金鑰版本必須處於 DESTROYED、IMPORT_FAILED 或 GENERATION_FAILED 狀態。
LOCATION：金鑰環的 Cloud KMS 位置。
KEY_RING：金鑰所屬金鑰環的名稱。
KEY_NAME：包含要永久刪除金鑰版本的金鑰名稱。

Go

如要瞭解如何安裝及使用 Cloud KMS 的用戶端程式庫，請參閱「Cloud KMS 用戶端程式庫」。

如要向 Cloud KMS 進行驗證，請設定應用程式預設憑證。詳情請參閱「為本機開發環境設定驗證機制」。

import (
	"context"
	"fmt"
	"io"

	kms "cloud.google.com/go/kms/apiv1"
	"cloud.google.com/go/kms/apiv1/kmspb"
)

// deleteCryptoKeyVersion deletes a crypto key version. This action is permanent and cannot be undone. Once the key version is deleted, it will no longer exist.
func deleteCryptoKeyVersion(w io.Writer, name string) error {
	// name := "projects/my-project/locations/us-east1/keyRings/my-key-ring/cryptoKeys/my-key/cryptoKeyVersions/1"

	// Create the client.
	ctx := context.Background()
	client, err := kms.NewKeyManagementClient(ctx)
	if err != nil {
		return fmt.Errorf("failed to create kms client: %w", err)
	}
	defer client.Close()

	// Build the request.
	req := &kmspb.DeleteCryptoKeyVersionRequest{
		Name: name,
	}

	// Call the API.
	// Warning: This operation is permanent and cannot be undone.
	op, err := client.DeleteCryptoKeyVersion(ctx, req)
	if err != nil {
		return fmt.Errorf("failed to delete crypto key version: %w", err)
	}

	// Wait for the operation to complete.
	if err := op.Wait(ctx); err != nil {
		return fmt.Errorf("failed to wait for delete crypto key version operation: %w", err)
	}

	fmt.Fprintf(w, "Deleted crypto key version: %s\n", req.Name)
	return nil
}

Java

如要瞭解如何安裝及使用 Cloud KMS 的用戶端程式庫，請參閱「Cloud KMS 用戶端程式庫」。

如要向 Cloud KMS 進行驗證，請設定應用程式預設憑證。詳情請參閱「為本機開發環境設定驗證機制」。

import com.google.cloud.kms.v1.CryptoKeyVersionName;
import com.google.cloud.kms.v1.KeyManagementServiceClient;
import java.io.IOException;

public class DeleteKeyVersion {

  public void deleteKeyVersion() throws IOException {
    // TODO(developer): Replace these variables before running the sample.
    String projectId = "your-project-id";
    String locationId = "us-east1";
    String keyRingId = "my-key-ring";
    String keyId = "my-key";
    String keyVersionId = "123";
    deleteKeyVersion(projectId, locationId, keyRingId, keyId, keyVersionId);
  }

  // deleteKeyVersion deletes a key version. This action is permanent and cannot be undone. Once the
  // key version is deleted, it will no longer exist.
  public void deleteKeyVersion(
      String projectId, String locationId, String keyRingId, String keyId, String keyVersionId)
      throws IOException {
    // Initialize client that will be used to send requests. This client only
    // needs to be created once, and can be reused for multiple requests. After
    // completing all of your requests, call the "close" method on the client to
    // safely clean up any remaining background resources.
    try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
      // Build the key version name from the project, location, key ring, key,
      // and key version.
      CryptoKeyVersionName keyVersionName =
          CryptoKeyVersionName.of(projectId, locationId, keyRingId, keyId, keyVersionId);

      // Delete the key version.
      // Warning: This operation is permanent and cannot be undone.
      // Wait for the operation to complete.
      client.deleteCryptoKeyVersionAsync(keyVersionName).get();
      System.out.printf("Deleted key version: %s%n", keyVersionName.toString());
    } catch (Exception e) {
      System.err.printf("Failed to delete key version: %s%n", e.getMessage());
    }
  }
}

Python

如要瞭解如何安裝及使用 Cloud KMS 的用戶端程式庫，請參閱「Cloud KMS 用戶端程式庫」。

如要向 Cloud KMS 進行驗證，請設定應用程式預設憑證。詳情請參閱「為本機開發環境設定驗證機制」。

from google.cloud import kms


def delete_key_version(
    project_id: str, location_id: str, key_ring_id: str, key_id: str, version_id: str
) -> None:
    """
    Delete the given key version. This action is permanent and cannot be undone.
    Once the key version is deleted, it will no longer exist.

    Args:
        project_id (str): Google Cloud project ID (e.g. 'my-project').
        location_id (str): Cloud KMS location (e.g. 'us-east1').
        key_ring_id (str): ID of the Cloud KMS key ring (e.g. 'my-key-ring').
        key_id (str): ID of the key to use (e.g. 'my-key').
        version_id (str): ID of the key version to delete (e.g. '1').

    Returns:
        None

    """

    # Create the client.
    client = kms.KeyManagementServiceClient()

    # Build the key version name.
    key_version_name = client.crypto_key_version_path(
        project_id, location_id, key_ring_id, key_id, version_id
    )

    # Call the API.
    # Note: delete_crypto_key_version returns a long-running operation.
    # Warning: This operation is permanent and cannot be undone.
    operation = client.delete_crypto_key_version(request={"name": key_version_name})

    # Wait for the operation to complete.
    operation.result()

    print(f"Deleted key version: {key_version_name}")

API

如要刪除金鑰版本，請呼叫 cryptoKeyVersions.delete 方法。這個方法會傳回長時間執行的作業，您可以輪詢該作業，確認金鑰版本是否已刪除。
```
curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME/cryptoKeyVersions/KEY_VERSION" \
--request "DELETE" \
--header "authorization: Bearer TOKEN"
```
更改下列內容：
- PROJECT_ID：包含金鑰環的專案 ID。
- LOCATION：金鑰環的 Cloud KMS 位置。
- KEY_RING：金鑰所屬金鑰環的名稱。
- KEY_NAME：包含要永久刪除金鑰版本的金鑰名稱。
- KEY_VERSION：要永久刪除的金鑰版本編號。指定的金鑰版本必須處於 DESTROYED、IMPORT_FAILED 或 GENERATION_FAILED 狀態。
指令輸出內容會傳回 Operation。下一個步驟需要用到這項作業的 name。
如要確認金鑰版本已刪除，可以呼叫 operations.get 方法：
```
curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/operations/OPERATION_NAME" \
    --request "GET" \
    --header "authorization: Bearer TOKEN"
```
更改下列內容：
- PROJECT_ID：包含金鑰環的專案 ID。
- LOCATION：金鑰環的 Cloud KMS 位置。
- OPERATION_NAME：上一個方法傳回的作業名稱。
如果這個方法的輸出內容顯示 done 為 true，即代表作業已完成。如果沒有顯示 error，表示金鑰版本已永久刪除。

刪除金鑰

如要刪除金鑰，必須符合下列條件：

金鑰不含尚未刪除的金鑰版本。
金鑰未排定自動輪替時間。
金鑰不是由 Cloud KMS Autokey 建立。

如要永久刪除金鑰，請按照下列步驟操作：

控制台

前往 Google Cloud 控制台的「Key Management」頁面。

前往「金鑰管理」
按一下包含要刪除金鑰的金鑰環名稱。
在下列任一位置刪除金鑰：
- 金鑰清單頁面：在「金鑰環『KEY_RING』的金鑰」表格中，找出要刪除的金鑰，按一下「金鑰動作」，然後按一下「刪除」。
- 金鑰詳細資料頁面：按一下要刪除的金鑰名稱，開啟「金鑰詳細資料」頁面。按一下頁面頂端的「刪除」。
在確認提示中輸入金鑰名稱，然後按一下「刪除」。

gcloud

如要刪除金鑰，請執行下列指令：

gcloud kms keys delete KEY_NAME \
    --location=LOCATION \
    --keyring=KEY_RING

更改下列內容：

KEY_NAME：要永久刪除的金鑰名稱。金鑰不得包含尚未刪除的金鑰版本，且不得為 Autokey 建立的金鑰。
LOCATION：金鑰環的 Cloud KMS 位置。
KEY_RING：金鑰所屬金鑰環的名稱。

Go

如要瞭解如何安裝及使用 Cloud KMS 的用戶端程式庫，請參閱「Cloud KMS 用戶端程式庫」。

如要向 Cloud KMS 進行驗證，請設定應用程式預設憑證。詳情請參閱「為本機開發環境設定驗證機制」。

import (
	"context"
	"fmt"
	"io"

	kms "cloud.google.com/go/kms/apiv1"
	"cloud.google.com/go/kms/apiv1/kmspb"
)

// deleteCryptoKey deletes a crypto key. This action is permanent and cannot be undone. Once the key is deleted, it will no longer exist.
func deleteCryptoKey(w io.Writer, name string) error {
	// name := "projects/my-project/locations/us-east1/keyRings/my-key-ring/cryptoKeys/my-key"

	// Create the client.
	ctx := context.Background()
	client, err := kms.NewKeyManagementClient(ctx)
	if err != nil {
		return fmt.Errorf("failed to create kms client: %w", err)
	}
	defer client.Close()

	// Build the request.
	req := &kmspb.DeleteCryptoKeyRequest{
		Name: name,
	}

	// Call the API.
	// Warning: This operation is permanent and cannot be undone.
	op, err := client.DeleteCryptoKey(ctx, req)
	if err != nil {
		return fmt.Errorf("failed to delete crypto key: %w", err)
	}

	// Wait for the operation to complete.
	if err := op.Wait(ctx); err != nil {
		return fmt.Errorf("failed to wait for delete crypto key operation: %w", err)
	}

	fmt.Fprintf(w, "Deleted crypto key: %s\n", req.Name)
	return nil
}

Java

如要瞭解如何安裝及使用 Cloud KMS 的用戶端程式庫，請參閱「Cloud KMS 用戶端程式庫」。

如要向 Cloud KMS 進行驗證，請設定應用程式預設憑證。詳情請參閱「為本機開發環境設定驗證機制」。

import com.google.cloud.kms.v1.CryptoKeyName;
import com.google.cloud.kms.v1.DeleteCryptoKeyMetadata;
import com.google.cloud.kms.v1.KeyManagementServiceClient;
import java.io.IOException;
import java.util.concurrent.ExecutionException;

public class DeleteKey {

  public void deleteKey() throws IOException {
    // TODO(developer): Replace these variables before running the sample.
    String projectId = "your-project-id";
    String locationId = "us-east1";
    String keyRingId = "my-key-ring";
    String keyId = "my-key";
    deleteKey(projectId, locationId, keyRingId, keyId);
  }

  // deleteKey deletes a crypto key. This action is permanent and cannot be undone. Once the key
  // is deleted, it will no longer exist.
  public void deleteKey(String projectId, String locationId, String keyRingId, String keyId)
      throws IOException {
    // Initialize client that will be used to send requests. This client only
    // needs to be created once, and can be reused for multiple requests. After
    // completing all of your requests, call the "close" method on the client to
    // safely clean up any remaining background resources.
    try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
      // Build the key name from the project, location, key ring, and key.
      CryptoKeyName keyName = CryptoKeyName.of(projectId, locationId, keyRingId, keyId);

      // Delete the key.
      // Warning: This operation is permanent and cannot be undone.
      // Wait for the operation to complete.
      client.deleteCryptoKeyAsync(keyName).get();
      System.out.printf("Deleted key: %s%n", keyName.toString());
    } catch (Exception e) {
      System.err.printf("Failed to delete key: %s%n", e.getMessage());
    }
  }
}

Python

如要瞭解如何安裝及使用 Cloud KMS 的用戶端程式庫，請參閱「Cloud KMS 用戶端程式庫」。

如要向 Cloud KMS 進行驗證，請設定應用程式預設憑證。詳情請參閱「為本機開發環境設定驗證機制」。

from google.cloud import kms


def delete_key(
    project_id: str, location_id: str, key_ring_id: str, key_id: str
) -> None:
    """
    Delete the given key. This action is permanent and cannot be undone. Once the
    key is deleted, it will no longer exist.

    Args:
        project_id (str): Google Cloud project ID (e.g. 'my-project').
        location_id (str): Cloud KMS location (e.g. 'us-east1').
        key_ring_id (str): ID of the Cloud KMS key ring (e.g. 'my-key-ring').
        key_id (str): ID of the key to use (e.g. 'my-key').

    Returns:
        None

    """

    # Create the client.
    client = kms.KeyManagementServiceClient()

    # Build the key name.
    key_name = client.crypto_key_path(project_id, location_id, key_ring_id, key_id)

    # Call the API.
    # Note: delete_crypto_key returns a long-running operation.
    # Warning: This operation is permanent and cannot be undone.
    operation = client.delete_crypto_key(request={"name": key_name})

    # Wait for the operation to complete.
    operation.result()

    print(f"Deleted key: {key_name}")

API

如要刪除金鑰，請呼叫 cryptoKey.delete 方法。這個方法會傳回長時間執行的作業，您可以輪詢該作業，確認金鑰是否已刪除。
```
curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME" \
--request "DELETE" \
--header "authorization: Bearer TOKEN"
```
更改下列內容：
- PROJECT_ID：包含金鑰環的專案 ID。
- LOCATION：金鑰環的 Cloud KMS 位置。
- KEY_RING：金鑰所屬金鑰環的名稱。
- KEY_NAME：要永久刪除的金鑰名稱。金鑰不得包含尚未刪除的金鑰版本，且不得為 Autokey 建立的金鑰。
指令輸出內容會傳回 Operation。下一個步驟需要用到這項作業的 name。
如要確認金鑰已刪除，可以呼叫 operations.get 方法：
```
curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/operations/OPERATION_NAME" \
    --request "GET" \
    --header "authorization: Bearer TOKEN"
```
更改下列內容：
- PROJECT_ID：包含金鑰環的專案 ID。
- LOCATION：金鑰環的 Cloud KMS 位置。
- OPERATION_NAME：上一個方法傳回的作業名稱。
如果這個方法的輸出內容顯示 done 為 true，即代表作業已完成。如果沒有顯示 error，表示該金鑰已永久刪除。

查看已淘汰資源的名稱

已刪除的金鑰名稱無法在同一個Google Cloud 專案中重複使用。這樣可避免兩個不同鍵具有相同的資源 ID。已刪除金鑰的名稱會儲存在 retiredResources 物件中。您可以查詢 retiredResources，查看無法用於新 Cloud KMS 資源的名稱。

如要查看所有已淘汰資源的清單，請按照下列步驟操作：

gcloud

執行下列指令：

gcloud kms retired-resources list \
    --location=LOCATION

更改下列內容：

LOCATION：您要查看已淘汰資源的位置。

Go

如要瞭解如何安裝及使用 Cloud KMS 的用戶端程式庫，請參閱「Cloud KMS 用戶端程式庫」。

如要向 Cloud KMS 進行驗證，請設定應用程式預設憑證。詳情請參閱「為本機開發環境設定驗證機制」。

import (
	"context"
	"fmt"
	"io"

	kms "cloud.google.com/go/kms/apiv1"
	kmspb "cloud.google.com/go/kms/apiv1/kmspb"
	"google.golang.org/api/iterator"
)

// listRetiredResources lists retired resources.
func listRetiredResources(w io.Writer, parent string) error {
	// parent := "projects/my-project/locations/us-east1"

	ctx := context.Background()
	client, err := kms.NewKeyManagementClient(ctx)
	if err != nil {
		return fmt.Errorf("failed to create kms client: %w", err)
	}
	defer client.Close()

	// Build the request.
	req := &kmspb.ListRetiredResourcesRequest{
		Parent: parent,
	}

	// Call the API.
	it := client.ListRetiredResources(ctx, req)

	// Iterate over the results.
	for {
		resp, err := it.Next()
		if err == iterator.Done {
			break
		}
		if err != nil {
			return fmt.Errorf("failed to list retired resources: %w", err)
		}

		fmt.Fprintf(w, "Retired resource: %s\n", resp.Name)
	}
	return nil
}

Java

如要瞭解如何安裝及使用 Cloud KMS 的用戶端程式庫，請參閱「Cloud KMS 用戶端程式庫」。

如要向 Cloud KMS 進行驗證，請設定應用程式預設憑證。詳情請參閱「為本機開發環境設定驗證機制」。

import com.google.cloud.kms.v1.KeyManagementServiceClient;
import com.google.cloud.kms.v1.LocationName;
import com.google.cloud.kms.v1.RetiredResource;
import java.io.IOException;

public class ListRetiredResources {

  public void listRetiredResources() throws IOException {
    // TODO(developer): Replace these variables before running the sample.
    String projectId = "your-project-id";
    String locationId = "us-east1";
    listRetiredResources(projectId, locationId);
  }

  // List retired resources in a specific project and location.
  public void listRetiredResources(String projectId, String locationId)
      throws IOException {
    // Initialize client that will be used to send requests. This client only
    // needs to be created once, and can be reused for multiple requests. After
    // completing all of your requests, call the "close" method on the client to
    // safely clean up any remaining background resources.
    try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
      // Build the location name from the project and location.
      LocationName locationName = LocationName.of(projectId, locationId);

      // List the retired resources.
      for (RetiredResource resource : client.listRetiredResources(locationName).iterateAll()) {
        System.out.printf("Retired resource: %s%n", resource.getName());
      }
    }
  }
}

Python

如要瞭解如何安裝及使用 Cloud KMS 的用戶端程式庫，請參閱「Cloud KMS 用戶端程式庫」。

如要向 Cloud KMS 進行驗證，請設定應用程式預設憑證。詳情請參閱「為本機開發環境設定驗證機制」。

from typing import List

from google.cloud import kms


def list_retired_resources(project_id: str, location_id: str) -> List[kms.RetiredResource]:
    """
    List the retired resources in a location.

    Args:
        project_id (str): Google Cloud project ID (e.g. 'my-project').
        location_id (str): Cloud KMS location (e.g. 'us-east1').

    Returns:
        list[kms.RetiredResource]: The list of retired resources.
    """

    # Create the client.
    client = kms.KeyManagementServiceClient()

    # Build the parent location name.
    parent = client.common_location_path(project_id, location_id)

    # Call the API.
    # The API paginates, but the Python client library handles that for us.
    resources_list = list(client.list_retired_resources(request={"parent": parent}))

    # Iterate over the resources and print them.
    for resource in resources_list:
        print(f"Retired resource: {resource.name}")

    return resources_list

API

請使用 retiredResources.list 方法：

curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/retiredResources/" \
    --request "GET" \
    --header "authorization: Bearer TOKEN"

更改下列內容：

PROJECT_ID：您要查看已淘汰資源的專案 ID。
LOCATION：您要查看已淘汰資源的位置。

如要查看個別已淘汰資源的中繼資料，請按照下列步驟操作：

gcloud

執行下列指令：

gcloud kms retired-resources describe RETIRED_RESOURCE \
    --location=LOCATION

更改下列內容：

RETIRED_RESOURCE：要查看的資源名稱。
LOCATION：您要查看已淘汰資源的位置。

Go

如要瞭解如何安裝及使用 Cloud KMS 的用戶端程式庫，請參閱「Cloud KMS 用戶端程式庫」。

如要向 Cloud KMS 進行驗證，請設定應用程式預設憑證。詳情請參閱「為本機開發環境設定驗證機制」。

import (
	"context"
	"fmt"
	"io"

	kms "cloud.google.com/go/kms/apiv1"
	kmspb "cloud.google.com/go/kms/apiv1/kmspb"
)

// getRetiredResource gets a retired resource.
func getRetiredResource(w io.Writer, name string) error {
	// name := "projects/my-project/locations/us-east1/retiredResources/my-retired-resource"

	ctx := context.Background()
	client, err := kms.NewKeyManagementClient(ctx)
	if err != nil {
		return fmt.Errorf("failed to create kms client: %w", err)
	}
	defer client.Close()

	// Build the request.
	req := &kmspb.GetRetiredResourceRequest{
		Name: name,
	}

	// Call the API.
	result, err := client.GetRetiredResource(ctx, req)
	if err != nil {
		return fmt.Errorf("failed to get retired resource: %w", err)
	}

	fmt.Fprintf(w, "Got retired resource: %s\n", result.Name)
	return nil
}

Java

如要瞭解如何安裝及使用 Cloud KMS 的用戶端程式庫，請參閱「Cloud KMS 用戶端程式庫」。

如要向 Cloud KMS 進行驗證，請設定應用程式預設憑證。詳情請參閱「為本機開發環境設定驗證機制」。

import com.google.cloud.kms.v1.KeyManagementServiceClient;
import com.google.cloud.kms.v1.RetiredResource;
import com.google.cloud.kms.v1.RetiredResourceName;
import java.io.IOException;

public class GetRetiredResource {

  public void getRetiredResource() throws IOException {
    // TODO(developer): Replace these variables before running the sample.
    String projectId = "your-project-id";
    String locationId = "us-east1";
    String retiredResourceId = "my-retired-resource-id";
    getRetiredResource(projectId, locationId, retiredResourceId);
  }

  // Get the retired resource.
  public void getRetiredResource(
      String projectId, String locationId, String retiredResourceId)
      throws IOException {
    // Initialize client that will be used to send requests. This client only
    // needs to be created once, and can be reused for multiple requests. After
    // completing all of your requests, call the "close" method on the client to
    // safely clean up any remaining background resources.
    try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
      // Build the retired resource name from the project, location, and retired resource id.
      RetiredResourceName name = RetiredResourceName.of(projectId, locationId, retiredResourceId);

      // Get the retired resource.
      RetiredResource response = client.getRetiredResource(name);
      System.out.printf("Retired resource: %s%n", response.getName());
    }
  }
}

Python

如要瞭解如何安裝及使用 Cloud KMS 的用戶端程式庫，請參閱「Cloud KMS 用戶端程式庫」。

如要向 Cloud KMS 進行驗證，請設定應用程式預設憑證。詳情請參閱「為本機開發環境設定驗證機制」。

from google.cloud import kms


def get_retired_resource(
    project_id: str, location_id: str, retired_resource_id: str
) -> kms.RetiredResource:
    """
    Get the details of a retired resource.

    Args:
        project_id (str): Google Cloud project ID (e.g. 'my-project').
        location_id (str): Cloud KMS location (e.g. 'us-east1').
        resource_id (str): ID of the retired resource to get.

    Returns:
        kms.RetiredResource: The requested retired resource.

    """

    # Create the client.
    client = kms.KeyManagementServiceClient()

    # Build the retired resource name.
    # Note: Retired resources are tied to a Location, not a KeyRing.
    # The name is like projects/{project}/locations/{location}/retiredResources/{id}
    name = client.retired_resource_path(project_id, location_id, retired_resource_id)

    # Call the API.
    response = client.get_retired_resource(request={"name": name})

    print(f"Got retired resource: {response.name}")
    return response

API

請使用 retiredResources.get 方法：

curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/retiredResources/RETIRED_RESOURCE" \
    --request "GET" \
    --header "authorization: Bearer TOKEN"

更改下列內容：

PROJECT_ID：您要查看已淘汰資源的專案 ID。
LOCATION：您要查看已淘汰資源的位置。
RETIRED_RESOURCE：要查看的資源名稱。

這個方法的輸出內容包括 resourceType、deleteTime 和已刪除資源的完整資源 ID。

後續步驟

進一步瞭解如何刪除及還原金鑰版本。

刪除 Cloud KMS 資源 透過集合功能整理內容 你可以依據偏好儲存及分類內容。

事前準備

所需權限

刪除金鑰版本

控制台

gcloud

Go

Java

Python

API

刪除金鑰

控制台

gcloud

Go

Java

Python

API

查看已淘汰資源的名稱

gcloud

Go

Java

Python

API

gcloud

Go

Java

Python

API

後續步驟

刪除 Cloud KMS 資源