11

This a newbie security/console question...I created a key ring in my project in a specific (wrong) location, Europe.

I can't see any way in the console to edit or even delete a key ring. The key ring is completely empty...no keys in it.

How can I edit/delete a key ring?

D.Baillie
  • 113
  • 1
  • 4

3 Answers3

17

Sorry, you can't delete or rename keys or key rings. We were concerned about the security implications of allowing multiple keys or key versions over time to have the same resource name, so we decided to make names immutable. (And you can't delete them, because we wouldn't be able to do a true deletion--there would still have to be a tombstone tracking that this name had been used and couldn't be reused).

We're aware that this can make things untidy, but we have no immediate plans to change this.

If you want to avoid getting billed for a key or otherwise make it unavailable, you can do so by deleting all the key versions; neither keys nor key rings are billed for, just the active key versions within the keys.

Thanks for your question and for using GCP and Cloud KMS!

Tim Dierks
  • 2,168
  • 15
  • 28
  • 3
    Thanks for the answer, I found the same when trawling through the documentation. Pity you can't edit if you make a mistake, as I did. I guess I could delete my project which would destroy it! – D.Baillie Jan 30 '19 at 21:18
  • 2
    Untidy it is, would you recommend a way to have unused keyrings cleared ? – Ben Apr 08 '19 at 13:19
  • 2
    Sorry, other than deleting the project, I have no specific suggestions. If you could archive or hide unused keyrings would that be appealing? If so, I can file a feature request. – Tim Dierks Apr 09 '19 at 16:15
  • Probably not the place to request this, but how about disabling keyrings so that they do not show up in the console and creating a mess? – Nikolaos Kakouros Aug 08 '19 at 17:07
  • Yes, thanks for the input. I've filed this request. – Tim Dierks Aug 09 '19 at 18:06
  • @TimDierks It's a simple thing but I want to delete, archive, or somehow get them to be "free" so they doesn't have a continuous $1/mo charge on my account. – nelsonjchen Feb 01 '21 at 06:24
  • 1
    Thanks @nelsonjchen! You can get rid of the billing by deleting all the versions: a keyring with keys which have no key versions has no charge. I will amend the answer to clarify this. – Tim Dierks Feb 02 '21 at 17:16
  • 1
    @TimDierks , I will do that. Thanks for the reply and editing of your answer. – nelsonjchen Feb 03 '21 at 22:00
  • @TimDierks this is an old topic but still an issue. Hopefully you still can file feature requests? Here's mine - could GCP hide key rings that have been inactive for some configurable amount of time? That way my automation can generate a key ring name decorated with date, and obsolete key rings fall out of visibility. – jws Aug 05 '21 at 22:37
0

Interesting. For comparison on AWS keys have unique IDs and there is a separate resource to alias names to ids.

ndenev
  • 1
  • 1
  • and you can delete the key in AWS.. with a waiting period of 7 – 30 days. Maybe something GCP could learn from AWS – star Nov 24 '21 at 05:49
0

Your question: How can I edit/delete a key ring?

Visit Destroy a key version. You can destroy an enabled or disabled key version. You may also disable and enable the KMS API. I just did it.

enter image description here

eQ19
  • 9,880
  • 3
  • 65
  • 77
  • but there is not way to delete destroyed key versions nor restore it back. But still project is trying to pick the destroyed key versions for all auth.. is there any way we can delete destroyed key versions in GCP ? – anil kumar d Jan 03 '23 at 05:28