GoogleCloudPlatform · yasharel · Feb 24, 2026 · Feb 24, 2026 · Feb 24, 2026 · Feb 24, 2026
@@ -0,0 +1,48 @@
+<?php
+/*
+ * Copyright 2026 Google LLC.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+declare(strict_types=1);
+
+namespace Google\Cloud\Samples\Kms;
+
+// [START kms_delete_crypto_key]
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\DeleteCryptoKeyRequest;
+
+function delete_crypto_key(
+    string $projectId = 'my-project',
+    string $locationId = 'us-east1',
+    string $keyRingId = 'my-key-ring',
+    string $keyId = 'my-key'
+): void {
+    // Create the Cloud KMS client.
+    $client = new KeyManagementServiceClient();
+
+    // Build the resource name of the crypto key.
+    $name = $client->cryptoKeyName($projectId, $locationId, $keyRingId, $keyId);
+
+    // Call the API.
+    $request = (new DeleteCryptoKeyRequest())
+        ->setName($name);
+    $client->deleteCryptoKey($request);
+    printf('Deleted crypto key: %s' . PHP_EOL, $name);
+}
+// [END kms_delete_crypto_key]
+
+// The following 2 lines are only needed to run the samples
+require_once __DIR__ . '/../../testing/sample_helpers.php';
+return \Google\Cloud\Samples\execute_sample(__FILE__, __NAMESPACE__, $argv);
@@ -0,0 +1,49 @@
+<?php
+/*
+ * Copyright 2026 Google LLC.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+declare(strict_types=1);
+
+namespace Google\Cloud\Samples\Kms;
+
+// [START kms_delete_crypto_key_version]
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\DeleteCryptoKeyVersionRequest;
+
+function delete_crypto_key_version(
+    string $projectId = 'my-project',
+    string $locationId = 'us-east1',
+    string $keyRingId = 'my-key-ring',
+    string $keyId = 'my-key',
+    string $versionId = '123'
+): void {
+    // Create the Cloud KMS client.
+    $client = new KeyManagementServiceClient();
+
+    // Build the resource name of the crypto key version.
+    $name = $client->cryptoKeyVersionName($projectId, $locationId, $keyRingId, $keyId, $versionId);
+
+    // Call the API.
+    $request = (new DeleteCryptoKeyVersionRequest())
+        ->setName($name);
+    $client->deleteCryptoKeyVersion($request);
+    printf('Deleted crypto key version: %s' . PHP_EOL, $name);
+}
+// [END kms_delete_crypto_key_version]
+
+// The following 2 lines are only needed to run the samples
+require_once __DIR__ . '/../../testing/sample_helpers.php';
+return \Google\Cloud\Samples\execute_sample(__FILE__, __NAMESPACE__, $argv);
@@ -0,0 +1,51 @@
+<?php
+/*
+ * Copyright 2026 Google LLC.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+declare(strict_types=1);
+
+namespace Google\Cloud\Samples\Kms;
+
+// [START kms_get_retired_resource]
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\GetRetiredResourceRequest;
+
+function get_retired_resource(
+    string $projectId = 'my-project',
+    string $locationId = 'us-east1',
+    string $retiredResourceId = 'my-retired-resource'
+): mixed {
+    // Create the Cloud KMS client.
+    $client = new KeyManagementServiceClient();
+
+    // Build the resource name of the retired resource.
+    $name = $client->retiredResourceName($projectId, $locationId, $retiredResourceId);
+
+    // Call the API.
+    $request = (new GetRetiredResourceRequest())
+        ->setName($name);
+    $response = $client->getRetiredResource($request);
+
+    printf('Retired Resource Name: %s' . PHP_EOL, $response->getName());
+    printf('Original Resource: %s' . PHP_EOL, $response->getOriginalResource());
+
+    return $response;
+}
+// [END kms_get_retired_resource]
+
+// The following 2 lines are only needed to run the samples
+require_once __DIR__ . '/../../testing/sample_helpers.php';
+return \Google\Cloud\Samples\execute_sample(__FILE__, __NAMESPACE__, $argv);
@@ -0,0 +1,53 @@
+<?php
+/*
+ * Copyright 2026 Google LLC.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+declare(strict_types=1);
+
+namespace Google\Cloud\Samples\Kms;
+
+// [START kms_list_retired_resources]
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\ListRetiredResourcesRequest;
+
+function list_retired_resources(
+    string $projectId = 'my-project',
+    string $locationId = 'us-east1'
+): mixed {
+    // Create the Cloud KMS client.
+    $client = new KeyManagementServiceClient();
+
+    // Build the parent location name.
+    $parent = $client->locationName($projectId, $locationId);
+
+    // Call the API.
+    $request = (new ListRetiredResourcesRequest())
+        ->setParent($parent);
+    $response = $client->listRetiredResources($request);
+
+    foreach ($response as $retiredResource) {
+        printf('Retired Resource Name: %s' . PHP_EOL, $retiredResource->getName());
+        printf('Original Resource: %s' . PHP_EOL, $retiredResource->getOriginalResource());
+        printf('Delete Time: %s' . PHP_EOL, $retiredResource->getDeleteTime()->getSeconds());
+    }
+
+    return $response;
+}
+// [END kms_list_retired_resources]
+
+// The following 2 lines are only needed to run the samples
+require_once __DIR__ . '/../../testing/sample_helpers.php';
+return \Google\Cloud\Samples\execute_sample(__FILE__, __NAMESPACE__, $argv);
@@ -19,6 +19,8 @@
 
 namespace Google\Cloud\Samples\Kms;
 
+use Google\ApiCore\ApiException;
+use Google\Rpc\Code;
 use Google\Cloud\Iam\V1\Binding;
 use Google\Cloud\Iam\V1\GetIamPolicyRequest;
 use Google\Cloud\Iam\V1\SetIamPolicyRequest;
@@ -45,6 +47,9 @@
 use Google\Cloud\Kms\V1\MacVerifyRequest;
 use Google\Cloud\Kms\V1\ProtectionLevel;
 use Google\Cloud\Kms\V1\UpdateCryptoKeyRequest;
+use Google\Cloud\Kms\V1\DeleteCryptoKeyRequest;
+use Google\Cloud\Kms\V1\ListRetiredResourcesRequest;
+use Google\Cloud\Kms\V1\GetCryptoKeyRequest;
 use Google\Cloud\TestUtils\TestTrait;
 use Google\Protobuf\FieldMask;
 use PHPUnit\Framework\TestCase;
@@ -815,6 +820,104 @@ public function testVerifyAsymmetricSignatureRsa()
         $this->assertTrue(true);
     }
 
+    public function testDeleteCryptoKey()
+    {
+        $client = new KeyManagementServiceClient();
+        $keyRingName = $client->keyRingName(self::$projectId, self::$locationId, self::$keyRingId);
+        $keyId = self::randomId();
+
+        // Create an ASYMMETRIC_SIGN key (no initial version created by default for this purpose).
+        $key = (new CryptoKey())
+            ->setPurpose(CryptoKeyPurpose::ASYMMETRIC_SIGN)
+            ->setVersionTemplate((new CryptoKeyVersionTemplate)
+                ->setAlgorithm(CryptoKeyVersionAlgorithm::EC_SIGN_P256_SHA256));
+
+        $request = (new CreateCryptoKeyRequest())
+            ->setParent($keyRingName)
+            ->setCryptoKeyId($keyId)
+            ->setCryptoKey($key)
+            ->setSkipInitialVersionCreation(true);
+
+        $client->createCryptoKey($request);
+
+        // Delete it.
+        list(, $output) = $this->runFunctionSnippet('delete_crypto_key', [
+            self::$projectId,
+            self::$locationId,
+            self::$keyRingId,
+            $keyId
+        ]);
+
+        $this->assertStringContainsString('Deleted crypto key', $output);
+
+        $keyName = $client->cryptoKeyName(self::$projectId, self::$locationId, self::$keyRingId, $keyId);
+        try {
+            $getKeyRequest = (new GetCryptoKeyRequest())->setName($keyName);
+            $client->getCryptoKey($getKeyRequest);
+            $this->fail('Key should be deleted');
+        } catch (ApiException $e) {
+            $this->assertEquals(Code::NOT_FOUND, $e->getCode());
+        }
+
+        return $keyId;
+    }
+
+    public function testListAndGetRetiredResource()
+    {
+        // Create a key to delete
+        $client = new KeyManagementServiceClient();
+        $keyRingName = $client->keyRingName(self::$projectId, self::$locationId, self::$keyRingId);
+        $keyId = self::randomId();
+        $key = (new CryptoKey())
+            ->setPurpose(CryptoKeyPurpose::ASYMMETRIC_SIGN)
+            ->setVersionTemplate((new CryptoKeyVersionTemplate)
+                ->setAlgorithm(CryptoKeyVersionAlgorithm::EC_SIGN_P256_SHA256));
+
+        // Create key (with no initial version)
+        $request = (new CreateCryptoKeyRequest())
+            ->setParent($keyRingName)
+            ->setCryptoKeyId($keyId)
+            ->setCryptoKey($key)
+            ->setSkipInitialVersionCreation(true);
+        $client->createCryptoKey($request);
+
+        // Delete it
+        $keyName = $client->cryptoKeyName(self::$projectId, self::$locationId, self::$keyRingId, $keyId);
+        $deleteRequest = (new DeleteCryptoKeyRequest())->setName($keyName);
+        $client->deleteCryptoKey($deleteRequest);
+
+        // Find the retired resource ID first (needed for the snippet)
+        $parent = $client->locationName(self::$projectId, self::$locationId);
+        $listRequest = (new ListRetiredResourcesRequest())->setParent($parent);
+
+        $retiredResource = null;
+        foreach ($client->listRetiredResources($listRequest) as $res) {
+            if (strpos($res->getOriginalResource(), $keyId) !== false) {
+                $retiredResource = $res;
+                break;
+            }
+        }
+
+        $this->assertNotNull($retiredResource, 'Could not find retired resource for retrieval test.');
+
+        $parts = explode('/', $retiredResource->getName());
+        $retiredResourceId = end($parts);
+
+        list($response, $output) = $this->runFunctionSnippet('get_retired_resource', [
+            self::$projectId,
+            self::$locationId,
+            $retiredResourceId
+        ]);
+
+        $this->assertStringContainsString($keyId, $response->getOriginalResource());
+        $this->assertStringContainsString('Retired Resource Name', $output);
+    }
+
+    public function testDeleteCryptoKeyVersion()
+    {
+        $this->markTestSkipped('Skipping deleteCryptoKeyVersion test due to complexity of destroying a key version.');
+    }
+
     public function testVerifyMac()
     {
         $data = 'my data';