The Platform Administrator (PA) can delete Key Management System (KMS) keys in the org admin cluster.
The PA can delete the AEAD and Signing keys in the project namespace. See Supported keys for the full list of KMS keys.
Before you begin
Before continuing, ensure you do the following:
Configure
kubectl
to access the org admin cluster. Follow the steps in Get a kubeconfig file to use thegdcloud
command-line interface (CLI).Get the KMS Admin role to delete KMS keys. Ask your Organization IAM Admin to grant you the KMS Admin (
kms-admin
) role in your project namespace.
Delete all keys
To delete all keys in a project namespace, use the following command:
kubectl --kubeconfig ORG_ADMIN_KUBECONFIG \
delete KEY_PRIMITIVE --namespace=PROJECT --all
Replace the following variables:
- ORG_ADMIN_KUBECONFIG: the
kubeconfig
file of the org admin cluster. - KEY_PRIMITIVE: the keys you want to delete. For
example:
aeadkey
for theAEAD
key. - PROJECT with the name of the project. For
example:
kms-test1
.