English
Deutsch
Español – América Latina
Français
Português – Brasil
中文 – 简体
日本語
한국어

Console

Contact Us Start free

Wipe out KMS keys
Stay organized with collections Save and categorize content based on your preferences.

The Platform Administrator (PA) can delete Key Management System (KMS) keys in the Management API server.

The PA can delete the AEAD and Signing keys in the project namespace. See Supported keys for the full list of KMS keys.

Before you begin

Before continuing, ensure you do the following:

Configure kubectl to access the Management API server. Follow the steps in Get a kubeconfig file to use the gdcloud command-line interface (CLI).
Get the KMS Admin role to delete KMS keys. Ask your Organization IAM Admin to grant you the KMS Admin (kms-admin) role in your project namespace.

Delete all keys

To delete all keys in a project namespace, use the following command:

  kubectl --kubeconfig MANAGEMENT_API_SERVER \
    delete KEY_PRIMITIVE --namespace=PROJECT --all

Replace the following variables:

MANAGEMENT_API_SERVER: the kubeconfig file of the Management API server. Sign in and generate the kubeconfig file if you don't have one.
KEY_PRIMITIVE: the keys you want to delete. For example: aeadkey for the AEAD key.
PROJECT with the name of the project. For example: kms-test1.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-03-21 UTC.