Sometimes when a number of crypto keys was created it's needed to prevent them from generating new versions. See also How to delete all key versions in Google KMS keyring
import com.google.cloud.kms.v1.CryptoKey;
import com.google.cloud.kms.v1.KeyManagementServiceClient;
import com.google.cloud.kms.v1.KeyRingName;
import com.google.protobuf.Duration;
import com.google.protobuf.FieldMask;
import com.google.protobuf.util.FieldMaskUtil;
import java.io.IOException;
public class Cleanup {
private static final String KMS_PROJECT_ID = "my-dev-project";
private static final String KMS_LOCATION = "global";
private static final String KMS_KEYRING = "encrypted-values";
public static void main(String[] args) {
try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
String keyRingName = KeyRingName.format(KMS_PROJECT_ID, KMS_LOCATION, KMS_KEYRING);
for (CryptoKey cryptoKey : client.listCryptoKeys(keyRingName).iterateAll()) {
String name = cryptoKey.getName();
Duration rotation = cryptoKey.getRotationPeriod();
if (rotation.getNanos() != 0 || rotation.getSeconds() != 0) {
System.out.println("Clearing rotation period of " + name);
CryptoKey updatedKey = CryptoKey.newBuilder(cryptoKey)
.clearRotationPeriod()
.clearNextRotationTime()
.build();
FieldMask fieldMask = FieldMaskUtil.fromString("rotation_period,next_rotation_time");
client.updateCryptoKey(updatedKey, fieldMask);
}
} catch (IOException e) {
throw new RuntimeException(e);
}
}
}
