Wipe out KMS keys

The Platform Administrator (PA) can delete Key Management System (KMS) keys in the org admin cluster.

The PA can delete the AEAD and Signing keys in the project namespace. See Supported keys for the full list of KMS keys.

Before you begin

Before continuing, ensure you do the following:

• Configure kubectl to access the org admin cluster. Follow the steps in Get a kubeconfig file to use the gdcloud command-line interface (CLI).

• Get the KMS Admin role to delete KMS keys. Ask your Organization IAM Admin to grant you the KMS Admin (kms-admin) role in your project namespace.

Delete all keys

To delete all keys in a project namespace, use the following command:

  kubectl --kubeconfig ORG_ADMIN_KUBECONFIG \
    delete KEY_PRIMITIVE --namespace=PROJECT --all

Replace the following variables:

• ORG_ADMIN_KUBECONFIG: the kubeconfig file of the org admin cluster.
• KEY_PRIMITIVE: the keys you want to delete. For example: aeadkey for the AEAD key.
• PROJECT with the name of the project. For example: kms-test1.