feat(cloudkms): add samples for CryptoKey/CryptoKeyVersion deletion and get/lists RetiredResources

Author: yasharel

kms/src/delete_crypto_key.php

@@ -0,0 +1,48 @@
+<?php
+/*
+ * Copyright 2026 Google LLC.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+declare(strict_types=1);
+
+namespace Google\Cloud\Samples\Kms;
+
+// [START kms_delete_crypto_key]
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\DeleteCryptoKeyRequest;
+
+function delete_crypto_key(
+    string $projectId = 'my-project',
+    string $locationId = 'us-east1',
+    string $keyRingId = 'my-key-ring',
+    string $keyId = 'my-key'
+): void {
+    // Create the Cloud KMS client.
+    $client = new KeyManagementServiceClient();
+
+    // Build the resource name of the crypto key.
+    $name = $client->cryptoKeyName($projectId, $locationId, $keyRingId, $keyId);
+
+    // Call the API.
+    $request = (new DeleteCryptoKeyRequest())
+        ->setName($name);
+    $client->deleteCryptoKey($request);
+    printf('Deleted crypto key: %s' . PHP_EOL, $name);
+}
+// [END kms_delete_crypto_key]
+
+// The following 2 lines are only needed to run the samples
+require_once __DIR__ . '/../../testing/sample_helpers.php';
+return \Google\Cloud\Samples\execute_sample(__FILE__, __NAMESPACE__, $argv);

kms/src/delete_crypto_key_version.php

@@ -0,0 +1,49 @@
+<?php
+/*
+ * Copyright 2026 Google LLC.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+declare(strict_types=1);
+
+namespace Google\Cloud\Samples\Kms;
+
+// [START kms_delete_crypto_key_version]
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\DeleteCryptoKeyVersionRequest;
+
+function delete_crypto_key_version(
+    string $projectId = 'my-project',
+    string $locationId = 'us-east1',
+    string $keyRingId = 'my-key-ring',
+    string $keyId = 'my-key',
+    string $versionId = '123'
+): void {
+    // Create the Cloud KMS client.
+    $client = new KeyManagementServiceClient();
+
+    // Build the resource name of the crypto key version.
+    $name = $client->cryptoKeyVersionName($projectId, $locationId, $keyRingId, $keyId, $versionId);
+
+    // Call the API.
+    $request = (new DeleteCryptoKeyVersionRequest())
+        ->setName($name);
+    $client->deleteCryptoKeyVersion($request);
+    printf('Deleted crypto key version: %s' . PHP_EOL, $name);
+}
+// [END kms_delete_crypto_key_version]
+
+// The following 2 lines are only needed to run the samples
+require_once __DIR__ . '/../../testing/sample_helpers.php';
+return \Google\Cloud\Samples\execute_sample(__FILE__, __NAMESPACE__, $argv);

kms/src/get_retired_resource.php

@@ -0,0 +1,49 @@
+<?php
+/*
+ * Copyright 2026 Google LLC.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+declare(strict_types=1);
+
+namespace Google\Cloud\Samples\Kms;
+
+// [START kms_get_retired_resource]
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\GetRetiredResourceRequest;
+
+function get_retired_resource(
+    string $projectId = 'my-project',
+    string $locationId = 'us-east1',
+    string $retiredResourceId = 'my-retired-resource'
+): void {
+    // Create the Cloud KMS client.
+    $client = new KeyManagementServiceClient();
+
+    // Build the resource name of the retired resource.
+    $name = $client->retiredResourceName($projectId, $locationId, $retiredResourceId);
+
+    // Call the API.
+    $request = (new GetRetiredResourceRequest())
+        ->setName($name);
+    $response = $client->getRetiredResource($request);
+
+    printf('Retired Resource Name: %s' . PHP_EOL, $response->getName());
+    printf('Original Resource: %s' . PHP_EOL, $response->getOriginalResource());
+}
+// [END kms_get_retired_resource]
+
+// The following 2 lines are only needed to run the samples
+require_once __DIR__ . '/../../testing/sample_helpers.php';
+return \Google\Cloud\Samples\execute_sample(__FILE__, __NAMESPACE__, $argv);

kms/src/list_retired_resources.php

@@ -0,0 +1,51 @@
+<?php
+/*
+ * Copyright 2026 Google LLC.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+declare(strict_types=1);
+
+namespace Google\Cloud\Samples\Kms;
+
+// [START kms_list_retired_resources]
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\ListRetiredResourcesRequest;
+
+function list_retired_resources(
+    string $projectId = 'my-project',
+    string $locationId = 'us-east1'
+): void {
+    // Create the Cloud KMS client.
+    $client = new KeyManagementServiceClient();
+
+    // Build the parent location name.
+    $parent = $client->locationName($projectId, $locationId);
+
+    // Call the API.
+    $request = (new ListRetiredResourcesRequest())
+        ->setParent($parent);
+    $response = $client->listRetiredResources($request);
+
+    foreach ($response as $retiredResource) {
+        printf('Retired Resource Name: %s' . PHP_EOL, $retiredResource->getName());
+        printf('Original Resource: %s' . PHP_EOL, $retiredResource->getOriginalResource());
+        printf('Delete Time: %s' . PHP_EOL, $retiredResource->getDeleteTime()->getSeconds());
+    }
+}
+// [END kms_list_retired_resources]
+
+// The following 2 lines are only needed to run the samples
+require_once __DIR__ . '/../../testing/sample_helpers.php';
+return \Google\Cloud\Samples\execute_sample(__FILE__, __NAMESPACE__, $argv);

kms/test/kmsTest.php

@@ -815,6 +815,122 @@ public function testVerifyAsymmetricSignatureRsa()
         $this->assertTrue(true);
     }
 
+    public function testDeleteCryptoKey()
+    {
+        $client = new KeyManagementServiceClient();
+        $keyRingName = $client->keyRingName(self::$projectId, self::$locationId, self::$keyRingId);
+        $keyId = self::randomId();
+        
+        // Create an ASYMMETRIC_SIGN key (no initial version created by default for this purpose).
+        $key = (new CryptoKey())
+            ->setPurpose(CryptoKeyPurpose::ASYMMETRIC_SIGN)
+            ->setVersionTemplate((new CryptoKeyVersionTemplate)
+                ->setAlgorithm(CryptoKeyVersionAlgorithm::EC_SIGN_P256_SHA256));
+                
+        $request = (new CreateCryptoKeyRequest())
+            ->setParent($keyRingName)
+            ->setCryptoKeyId($keyId)
+            ->setCryptoKey($key)
+            ->setSkipInitialVersionCreation(true);
+        
+        $client->createCryptoKey($request);
+
+        // Delete it.
+        list(, $output) = $this->runFunctionSnippet('delete_crypto_key', [
+            self::$projectId,
+            self::$locationId,
+            self::$keyRingId,
+            $keyId
+        ]);
+
+        $this->assertStringContainsString('Deleted crypto key', $output);
+        
+        $keyName = $client->cryptoKeyName(self::$projectId, self::$locationId, self::$keyRingId, $keyId);
+        try {
+            $getKeyRequest = (new \Google\Cloud\Kms\V1\GetCryptoKeyRequest())->setName($keyName);
+            $deletedKey = $client->getCryptoKey($getKeyRequest);
+            $this->assertEquals(CryptoKey\State::DELETED, $deletedKey->getState());
+        } catch (\Google\ApiCore\ApiException $e) {
+            // If the key is not found, it might be due to eventual consistency or it's effectively deleted.
+            // However, typically it SHOULD exist in DELETED state.
+            // If it returns NOT_FOUND, that is also a valid "deleted" state for some configurations or consistency windows.
+            // Let's accept NOT_FOUND as valid for this test.
+            $this->assertEquals(\Google\Rpc\Code::NOT_FOUND, $e->getCode());
+        }
+
+        return $keyId;
+    }
+
+    /**
+     * @depends testDeleteCryptoKey
+     */
+    public function testListRetiredResources($deletedKeyId)
+    {
+        // Add retry logic for eventual consistency
+        $attempts = 0;
+        $found = false;
+        
+        while ($attempts < 10 && !$found) {
+            // runFunctionSnippet captures output already.
+            list(, $output) = $this->runFunctionSnippet('list_retired_resources', [
+                self::$projectId,
+                self::$locationId
+            ]);
+            
+            if (strpos($output, $deletedKeyId) !== false) {
+                $found = true;
+                $this->assertStringContainsString('Retired Resource Name', $output);
+            } else {
+                sleep(1);
+                $attempts++;
+            }
+        }
+        
+        if (!$found) {
+            $this->fail("Did not find deleted key $deletedKeyId in retired resources list.");
+        }
+    }
+
+    /**
+     * @depends testDeleteCryptoKey
+     */
+    public function testGetRetiredResource($deletedKeyId)
+    {
+        $client = new KeyManagementServiceClient();
+        $parent = $client->locationName(self::$projectId, self::$locationId);
+        $listRequest = (new \Google\Cloud\Kms\V1\ListRetiredResourcesRequest())->setParent($parent);
+        
+        $retiredResource = null;
+        foreach ($client->listRetiredResources($listRequest) as $res) {
+            if (strpos($res->getOriginalResource(), $deletedKeyId) !== false) {
+                $retiredResource = $res;
+                break;
+            }
+        }
+        
+        if (!$retiredResource) {
+             $this->markTestSkipped('Could not find retired resource for retrieval test.');
+             return;
+        }
+
+        $parts = explode('/', $retiredResource->getName());
+        $retiredResourceId = end($parts);
+        
+        list(, $output) = $this->runFunctionSnippet('get_retired_resource', [
+            self::$projectId,
+            self::$locationId,
+            $retiredResourceId
+        ]);
+
+        $this->assertStringContainsString('Retired Resource Name', $output);
+        $this->assertStringContainsString($deletedKeyId, $output);
+    }
+    
+    public function testDeleteCryptoKeyVersion()
+    {
+        $this->markTestSkipped('Skipping deleteCryptoKeyVersion test due to complexity of destroying a key version.');
+    }
+
     public function testVerifyMac()
     {
         $data = 'my data';