The Platform Administrator (PA) can delete Key Management System (KMS) keys in the Management API server.
The PA can delete the AEAD and Signing keys in the project namespace. See Supported keys for the full list of KMS keys.
Before you begin
Before continuing, ensure you do the following:
Configure
kubectlto access the Management API server. Follow the steps in Get a kubeconfig file to use thegdcloudcommand-line interface (CLI).Get the KMS Admin role to delete KMS keys. Ask your Organization IAM Admin to grant you the KMS Admin (
kms-admin) role in your project namespace.
Delete all keys
To delete all keys in a project namespace, use the following command:
kubectl --kubeconfig MANAGEMENT_API_SERVER \
delete KEY_PRIMITIVE --namespace=PROJECT --all
Replace the following variables:
- MANAGEMENT_API_SERVER: the kubeconfig file of the Management API server. Sign in and generate the kubeconfig file if you don't have one.
- KEY_PRIMITIVE: the keys you want to delete. For
example:
aeadkeyfor theAEADkey. - PROJECT with the name of the project. For
example:
kms-test1.