feat: Added DeleteCryptoKey and DeleteCryptoKeyVersion RPCs to permanently remove resources

Google APIs · copybara-github · commit f248ed087ef9 · 2026-02-11T07:34:51.000-08:00
feat: Introduced the RetiredResource resource to track records of deleted keys and prevent the reuse of their resource names
feat: Added ListRetiredResources and GetRetiredResource RPCs to manage and view these records

PiperOrigin-RevId: 868670725
diff --git a/google/cloud/kms/v1/cloudkms_grpc_service_config.json b/google/cloud/kms/v1/cloudkms_grpc_service_config.json
@@ -39,6 +39,10 @@
           "service": "google.cloud.kms.v1.KeyManagementService",
           "method": "ListCryptoKeyVersions"
         },
+        {
+          "service": "google.cloud.kms.v1.KeyManagementService",
+          "method": "ListRetiredResources"
+        },
         {
           "service": "google.cloud.kms.v1.EkmService",
           "method": "GetEkmConnection"
@@ -59,6 +63,10 @@
           "service": "google.cloud.kms.v1.KeyManagementService",
           "method": "GetCryptoKeyVersion"
         },
+        {
+          "service": "google.cloud.kms.v1.KeyManagementService",
+          "method": "GetRetiredResource"
+        },
         {
           "service": "google.cloud.kms.v1.EkmService",
           "method": "CreateEkmConnection"
@@ -107,6 +115,14 @@
           "service": "google.cloud.kms.v1.KeyManagementService",
           "method": "RestoreCryptoKeyVersion"
         },
+        {
+          "service": "google.cloud.kms.v1.KeyManagementService",
+          "method": "DeleteCryptoKey"
+        },
+        {
+          "service": "google.cloud.kms.v1.KeyManagementService",
+          "method": "DeleteCryptoKeyVersion"
+        },
         {
           "service": "google.cloud.kms.v1.KeyManagementService",
           "method": "GetPublicKey"
diff --git a/google/cloud/kms/v1/resources.proto b/google/cloud/kms/v1/resources.proto
@@ -1040,6 +1040,40 @@ message KeyAccessJustificationsPolicy {
   repeated AccessReason allowed_access_reasons = 1;
 }
 
+// A RetiredResource resource represents the record of a deleted
+// [CryptoKey][google.cloud.kms.v1.CryptoKey]. Its purpose is to provide
+// visibility into retained user data and to prevent reuse of these names for
+// new [CryptoKeys][google.cloud.kms.v1.CryptoKey].
+message RetiredResource {
+  option (google.api.resource) = {
+    type: "cloudkms.googleapis.com/RetiredResource"
+    pattern: "projects/{project}/locations/{location}/retiredResources/{retired_resource}"
+    plural: "retiredResources"
+    singular: "retiredResource"
+  };
+
+  // Output only. Identifier. The resource name for this
+  // [RetiredResource][google.cloud.kms.v1.RetiredResource] in the format
+  // `projects/*/locations/*/retiredResources/*`.
+  string name = 1 [
+    (google.api.field_behavior) = OUTPUT_ONLY,
+    (google.api.field_behavior) = IDENTIFIER
+  ];
+
+  // Output only. The full resource name of the original
+  // [CryptoKey][google.cloud.kms.v1.CryptoKey] that was deleted in the format
+  // `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
+  string original_resource = 2 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. The resource type of the original deleted resource.
+  string resource_type = 3 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. The time at which the original resource was deleted and this
+  // RetiredResource record was created.
+  google.protobuf.Timestamp delete_time = 4
+      [(google.api.field_behavior) = OUTPUT_ONLY];
+}
+
 // [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] specifies how
 // cryptographic operations are performed. For more information, see [Protection
 // levels] (https://cloud.google.com/kms/docs/algorithms#protection_levels).
diff --git a/google/cloud/kms/v1/service.proto b/google/cloud/kms/v1/service.proto
@@ -21,6 +21,8 @@ import "google/api/client.proto";
 import "google/api/field_behavior.proto";
 import "google/api/resource.proto";
 import "google/cloud/kms/v1/resources.proto";
+import "google/longrunning/operations.proto";
+import "google/protobuf/empty.proto";
 import "google/protobuf/field_mask.proto";
 import "google/protobuf/wrappers.proto";
 
@@ -82,6 +84,17 @@ service KeyManagementService {
     option (google.api.method_signature) = "parent";
   }
 
+  // Lists the [RetiredResources][google.cloud.kms.v1.RetiredResource] which are
+  // the records of deleted [CryptoKeys][google.cloud.kms.v1.CryptoKey].
+  // RetiredResources prevent the reuse of these resource names after deletion.
+  rpc ListRetiredResources(ListRetiredResourcesRequest)
+      returns (ListRetiredResourcesResponse) {
+    option (google.api.http) = {
+      get: "/v1/{parent=projects/*/locations/*}/retiredResources"
+    };
+    option (google.api.method_signature) = "parent";
+  }
+
   // Returns metadata for a given [KeyRing][google.cloud.kms.v1.KeyRing].
   rpc GetKeyRing(GetKeyRingRequest) returns (KeyRing) {
     option (google.api.http) = {
@@ -131,6 +144,16 @@ service KeyManagementService {
     option (google.api.method_signature) = "name";
   }
 
+  // Retrieves a specific [RetiredResource][google.cloud.kms.v1.RetiredResource]
+  // resource, which represents the record of a deleted
+  // [CryptoKey][google.cloud.kms.v1.CryptoKey].
+  rpc GetRetiredResource(GetRetiredResourceRequest) returns (RetiredResource) {
+    option (google.api.http) = {
+      get: "/v1/{name=projects/*/locations/*/retiredResources/*}"
+    };
+    option (google.api.method_signature) = "name";
+  }
+
   // Create a new [KeyRing][google.cloud.kms.v1.KeyRing] in a given Project and
   // Location.
   rpc CreateKeyRing(CreateKeyRingRequest) returns (KeyRing) {
@@ -170,6 +193,47 @@ service KeyManagementService {
     option (google.api.method_signature) = "parent,crypto_key_version";
   }
 
+  // Permanently deletes the given [CryptoKey][google.cloud.kms.v1.CryptoKey].
+  // All child [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] must
+  // have been previously deleted using
+  // [KeyManagementService.DeleteCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DeleteCryptoKeyVersion].
+  // The specified crypto key will be immediately and permanently deleted upon
+  // calling this method. This action cannot be undone.
+  rpc DeleteCryptoKey(DeleteCryptoKeyRequest)
+      returns (google.longrunning.Operation) {
+    option (google.api.http) = {
+      delete: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}"
+    };
+    option (google.api.method_signature) = "name";
+    option (google.longrunning.operation_info) = {
+      response_type: "google.protobuf.Empty"
+      metadata_type: "DeleteCryptoKeyMetadata"
+    };
+  }
+
+  // Permanently deletes the given
+  // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Only possible if
+  // the version has not been previously imported and if its
+  // [state][google.cloud.kms.v1.CryptoKeyVersion.state] is one of
+  // [DESTROYED][CryptoKeyVersionState.DESTROYED],
+  // [IMPORT_FAILED][CryptoKeyVersionState.IMPORT_FAILED], or
+  // [GENERATION_FAILED][CryptoKeyVersionState.GENERATION_FAILED].
+  // Successfully imported
+  // [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] cannot be deleted
+  // at this time. The specified version will be immediately and permanently
+  // deleted upon calling this method. This action cannot be undone.
+  rpc DeleteCryptoKeyVersion(DeleteCryptoKeyVersionRequest)
+      returns (google.longrunning.Operation) {
+    option (google.api.http) = {
+      delete: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}"
+    };
+    option (google.api.method_signature) = "name";
+    option (google.longrunning.operation_info) = {
+      response_type: "google.protobuf.Empty"
+      metadata_type: "DeleteCryptoKeyVersionMetadata"
+    };
+  }
+
   // Import wrapped key material into a
   // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
   //
@@ -575,6 +639,34 @@ message ListImportJobsRequest {
   string order_by = 5 [(google.api.field_behavior) = OPTIONAL];
 }
 
+// Request message for
+// [KeyManagementService.ListRetiredResources][google.cloud.kms.v1.KeyManagementService.ListRetiredResources].
+message ListRetiredResourcesRequest {
+  // Required. The project-specific location holding the
+  // [RetiredResources][google.cloud.kms.v1.RetiredResource], in the format
+  // `projects/*/locations/*`.
+  string parent = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      child_type: "cloudkms.googleapis.com/RetiredResource"
+    }
+  ];
+
+  // Optional. Optional limit on the number of
+  // [RetiredResources][google.cloud.kms.v1.RetiredResource] to be included in
+  // the response. Further
+  // [RetiredResources][google.cloud.kms.v1.RetiredResource] can subsequently be
+  // obtained by including the
+  // [ListRetiredResourcesResponse.next_page_token][google.cloud.kms.v1.ListRetiredResourcesResponse.next_page_token]
+  // in a subsequent request. If unspecified, the server will pick an
+  // appropriate default.
+  int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. Optional pagination token, returned earlier via
+  // [ListRetiredResourcesResponse.next_page_token][google.cloud.kms.v1.ListRetiredResourcesResponse.next_page_token].
+  string page_token = 3 [(google.api.field_behavior) = OPTIONAL];
+}
+
 // Response message for
 // [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings].
 message ListKeyRingsResponse {
@@ -656,6 +748,22 @@ message ListImportJobsResponse {
   int32 total_size = 3;
 }
 
+// Response message for
+// [KeyManagementService.ListRetiredResources][google.cloud.kms.v1.KeyManagementService.ListRetiredResources].
+message ListRetiredResourcesResponse {
+  // The list of [RetiredResources][google.cloud.kms.v1.RetiredResource].
+  repeated RetiredResource retired_resources = 1;
+
+  // A token to retrieve the next page of results. Pass this value in
+  // [ListRetiredResourcesRequest.page_token][google.cloud.kms.v1.ListRetiredResourcesRequest.page_token]
+  // to retrieve the next page of results.
+  string next_page_token = 2;
+
+  // The total number of [RetiredResources][google.cloud.kms.v1.RetiredResource]
+  // that matched the query.
+  int64 total_size = 3;
+}
+
 // Request message for
 // [KeyManagementService.GetKeyRing][google.cloud.kms.v1.KeyManagementService.GetKeyRing].
 message GetKeyRingRequest {
@@ -731,6 +839,19 @@ message GetImportJobRequest {
   ];
 }
 
+// Request message for
+// [KeyManagementService.GetRetiredResource][google.cloud.kms.v1.KeyManagementService.GetRetiredResource].
+message GetRetiredResourceRequest {
+  // Required. The [name][google.cloud.kms.v1.RetiredResource.name] of the
+  // [RetiredResource][google.cloud.kms.v1.RetiredResource] to get.
+  string name = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      type: "cloudkms.googleapis.com/RetiredResource"
+    }
+  ];
+}
+
 // Request message for
 // [KeyManagementService.CreateKeyRing][google.cloud.kms.v1.KeyManagementService.CreateKeyRing].
 message CreateKeyRingRequest {
@@ -803,6 +924,32 @@ message CreateCryptoKeyVersionRequest {
       [(google.api.field_behavior) = REQUIRED];
 }
 
+// Request message for
+// [KeyManagementService.DeleteCryptoKey][google.cloud.kms.v1.KeyManagementService.DeleteCryptoKey].
+message DeleteCryptoKeyRequest {
+  // Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the
+  // [CryptoKey][google.cloud.kms.v1.CryptoKey] to delete.
+  string name = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      type: "cloudkms.googleapis.com/CryptoKey"
+    }
+  ];
+}
+
+// Request message for
+// [KeyManagementService.DeleteCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DeleteCryptoKeyVersion].
+message DeleteCryptoKeyVersionRequest {
+  // Required. The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the
+  // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to delete.
+  string name = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      type: "cloudkms.googleapis.com/CryptoKeyVersion"
+    }
+  ];
+}
+
 // Request message for
 // [KeyManagementService.ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion].
 message ImportCryptoKeyVersionRequest {
@@ -2212,3 +2359,24 @@ message LocationMetadata {
   // can be created in this location.
   bool hsm_single_tenant_available = 3;
 }
+
+// Represents the metadata of the
+// [KeyManagementService.DeleteCryptoKey][google.cloud.kms.v1.KeyManagementService.DeleteCryptoKey]
+// long-running operation.
+message DeleteCryptoKeyMetadata {
+  // Output only. The resource name of the
+  // [RetiredResource][google.cloud.kms.v1.RetiredResource] created as a result
+  // of this operation, in the format
+  // `projects/*/locations/*/retiredResources/*`.
+  string retired_resource = 1 [
+    (google.api.field_behavior) = OUTPUT_ONLY,
+    (google.api.resource_reference) = {
+      type: "cloudkms.googleapis.com/RetiredResource"
+    }
+  ];
+}
+
+// Represents the metadata of the
+// [KeyManagementService.DeleteCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DeleteCryptoKeyVersion]
+// long-running operation.
+message DeleteCryptoKeyVersionMetadata {}
