feat(cloudkms): add samples for CryptoKey/CryptoKeyVersion deletion and get/lists RetiredResources (#10237)

* feat: add delete and retired resources samples for java

* Add permanent deletion warning to DeleteKey and DeleteKeyVersion snippets

Author: yasharel

kms/pom.xml

@@ -31,7 +31,7 @@
       <dependency>
         <groupId>com.google.cloud</groupId>
         <artifactId>libraries-bom</artifactId>
-        <version>26.32.0</version>
+        <version>26.50.0</version>
         <type>pom</type>
         <scope>import</scope>
       </dependency>
@@ -42,16 +42,27 @@
     <dependency>
       <groupId>com.google.cloud</groupId>
       <artifactId>google-cloud-kms</artifactId>
+      <version>2.88.0</version>
+    </dependency>
+    <dependency>
+      <groupId>com.google.api.grpc</groupId>
+      <artifactId>proto-google-cloud-kms-v1</artifactId>
+      <version>0.179.0</version>
     </dependency>
     <dependency>
       <groupId>com.google.crypto.tink</groupId>
       <artifactId>tink</artifactId>
       <version>1.12.0</version>
     </dependency>
-    <!-- [START_EXCLUDE] -->
+    <dependency>
+      <groupId>com.google.protobuf</groupId>
+      <artifactId>protobuf-java</artifactId>
+      <version>4.33.2</version>
+    </dependency>
     <dependency>
       <groupId>com.google.protobuf</groupId>
       <artifactId>protobuf-java-util</artifactId>
+      <version>4.33.2</version>
     </dependency>
     <dependency>
       <groupId>junit</groupId>
@@ -77,5 +88,16 @@
     </dependency>
     <!-- [END_EXCLUDE] -->
   </dependencies>
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.jacoco</groupId>
+        <artifactId>jacoco-maven-plugin</artifactId>
+        <configuration>
+          <skip>true</skip>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
   <!-- [END kms_install_with_bom] -->
 </project>

kms/src/main/java/kms/DeleteKey.java

@@ -0,0 +1,59 @@
+/*
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package kms;
+
+// [START kms_delete_key]
+import com.google.cloud.kms.v1.CryptoKeyName;
+import com.google.cloud.kms.v1.DeleteCryptoKeyMetadata;
+import com.google.cloud.kms.v1.KeyManagementServiceClient;
+import java.io.IOException;
+import java.util.concurrent.ExecutionException;
+
+public class DeleteKey {
+
+  public void deleteKey() throws IOException {
+    // TODO(developer): Replace these variables before running the sample.
+    String projectId = "your-project-id";
+    String locationId = "us-east1";
+    String keyRingId = "my-key-ring";
+    String keyId = "my-key";
+    deleteKey(projectId, locationId, keyRingId, keyId);
+  }
+
+  // deleteKey deletes a crypto key. This action is permanent and cannot be undone. Once the key
+  // is deleted, it will no longer exist.
+  public void deleteKey(String projectId, String locationId, String keyRingId, String keyId)
+      throws IOException {
+    // Initialize client that will be used to send requests. This client only
+    // needs to be created once, and can be reused for multiple requests. After
+    // completing all of your requests, call the "close" method on the client to
+    // safely clean up any remaining background resources.
+    try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
+      // Build the key name from the project, location, key ring, and key.
+      CryptoKeyName keyName = CryptoKeyName.of(projectId, locationId, keyRingId, keyId);
+
+      // Delete the key.
+      // Warning: This operation is permanent and cannot be undone.
+      // Wait for the operation to complete.
+      client.deleteCryptoKeyAsync(keyName).get();
+      System.out.printf("Deleted key: %s%n", keyName.toString());
+    } catch (Exception e) {
+      System.err.printf("Failed to delete key: %s%n", e.getMessage());
+    }
+  }
+}
+// [END kms_delete_key]

kms/src/main/java/kms/DeleteKeyVersion.java

@@ -0,0 +1,61 @@
+/*
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package kms;
+
+// [START kms_delete_key_version]
+import com.google.cloud.kms.v1.CryptoKeyVersionName;
+import com.google.cloud.kms.v1.KeyManagementServiceClient;
+import java.io.IOException;
+
+public class DeleteKeyVersion {
+
+  public void deleteKeyVersion() throws IOException {
+    // TODO(developer): Replace these variables before running the sample.
+    String projectId = "your-project-id";
+    String locationId = "us-east1";
+    String keyRingId = "my-key-ring";
+    String keyId = "my-key";
+    String keyVersionId = "123";
+    deleteKeyVersion(projectId, locationId, keyRingId, keyId, keyVersionId);
+  }
+
+  // deleteKeyVersion deletes a key version. This action is permanent and cannot be undone. Once the
+  // key version is deleted, it will no longer exist.
+  public void deleteKeyVersion(
+      String projectId, String locationId, String keyRingId, String keyId, String keyVersionId)
+      throws IOException {
+    // Initialize client that will be used to send requests. This client only
+    // needs to be created once, and can be reused for multiple requests. After
+    // completing all of your requests, call the "close" method on the client to
+    // safely clean up any remaining background resources.
+    try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
+      // Build the key version name from the project, location, key ring, key,
+      // and key version.
+      CryptoKeyVersionName keyVersionName =
+          CryptoKeyVersionName.of(projectId, locationId, keyRingId, keyId, keyVersionId);
+
+      // Delete the key version.
+      // Warning: This operation is permanent and cannot be undone.
+      // Wait for the operation to complete.
+      client.deleteCryptoKeyVersionAsync(keyVersionName).get();
+      System.out.printf("Deleted key version: %s%n", keyVersionName.toString());
+    } catch (Exception e) {
+      System.err.printf("Failed to delete key version: %s%n", e.getMessage());
+    }
+  }
+}
+// [END kms_delete_key_version]

kms/src/main/java/kms/GetRetiredResource.java

@@ -0,0 +1,53 @@
+/*
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package kms;
+
+// [START kms_get_retired_resource]
+import com.google.cloud.kms.v1.KeyManagementServiceClient;
+import com.google.cloud.kms.v1.RetiredResource;
+import com.google.cloud.kms.v1.RetiredResourceName;
+import java.io.IOException;
+
+public class GetRetiredResource {
+
+  public void getRetiredResource() throws IOException {
+    // TODO(developer): Replace these variables before running the sample.
+    String projectId = "your-project-id";
+    String locationId = "us-east1";
+    String retiredResourceId = "my-retired-resource-id";
+    getRetiredResource(projectId, locationId, retiredResourceId);
+  }
+
+  // Get the retired resource.
+  public void getRetiredResource(
+      String projectId, String locationId, String retiredResourceId)
+      throws IOException {
+    // Initialize client that will be used to send requests. This client only
+    // needs to be created once, and can be reused for multiple requests. After
+    // completing all of your requests, call the "close" method on the client to
+    // safely clean up any remaining background resources.
+    try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
+      // Build the retired resource name from the project, location, and retired resource id.
+      RetiredResourceName name = RetiredResourceName.of(projectId, locationId, retiredResourceId);
+
+      // Get the retired resource.
+      RetiredResource response = client.getRetiredResource(name);
+      System.out.printf("Retired resource: %s%n", response.getName());
+    }
+  }
+}
+// [END kms_get_retired_resource]

kms/src/main/java/kms/IamRemoveMember.java

@@ -56,13 +56,29 @@ public void iamRemoveMember(
 
       // Search through the bindings and remove matches.
       String roleToFind = "roles/cloudkms.cryptoKeyEncrypterDecrypter";
+      // Create a new list of bindings, removing the member from the role.
+      java.util.List<Binding> newBindings = new java.util.ArrayList<>();
       for (Binding binding : policy.getBindingsList()) {
         if (binding.getRole().equals(roleToFind) && binding.getMembersList().contains(member)) {
-          binding.getMembersList().remove(member);
+          Binding.Builder bindingBuilder = binding.toBuilder();
+          // Remove the member.
+          // Note: ProtocolStringList is immutable, so we need to rebuild the members list.
+          java.util.List<String> validMembers = new java.util.ArrayList<>(binding.getMembersList());
+          validMembers.remove(member);
+          
+          bindingBuilder.clearMembers().addAllMembers(validMembers);
+          if (!validMembers.isEmpty()) {
+            newBindings.add(bindingBuilder.build());
+          }
+          // If no members left, we can just omit the binding (effective removal).
+        } else {
+          newBindings.add(binding);
         }
       }
 
-      client.setIamPolicy(resourceName, policy);
+      Policy newPolicy = policy.toBuilder().clearBindings().addAllBindings(newBindings).build();
+
+      client.setIamPolicy(resourceName, newPolicy);
       System.out.printf("Updated IAM policy for %s%n", resourceName.toString());
     }
   }

kms/src/main/java/kms/ListRetiredResources.java

@@ -0,0 +1,52 @@
+/*
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package kms;
+
+// [START kms_list_retired_resources]
+import com.google.cloud.kms.v1.KeyManagementServiceClient;
+import com.google.cloud.kms.v1.LocationName;
+import com.google.cloud.kms.v1.RetiredResource;
+import java.io.IOException;
+
+public class ListRetiredResources {
+
+  public void listRetiredResources() throws IOException {
+    // TODO(developer): Replace these variables before running the sample.
+    String projectId = "your-project-id";
+    String locationId = "us-east1";
+    listRetiredResources(projectId, locationId);
+  }
+
+  // List retired resources in a specific project and location.
+  public void listRetiredResources(String projectId, String locationId)
+      throws IOException {
+    // Initialize client that will be used to send requests. This client only
+    // needs to be created once, and can be reused for multiple requests. After
+    // completing all of your requests, call the "close" method on the client to
+    // safely clean up any remaining background resources.
+    try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
+      // Build the location name from the project and location.
+      LocationName locationName = LocationName.of(projectId, locationId);
+
+      // List the retired resources.
+      for (RetiredResource resource : client.listRetiredResources(locationName).iterateAll()) {
+        System.out.printf("Retired resource: %s%n", resource.getName());
+      }
+    }
+  }
+}
+// [END kms_list_retired_resources]

kms/src/main/java/kms/VerifyAsymmetricEc.java

@@ -45,6 +45,7 @@ public void verifyAsymmetricEc() throws IOException, GeneralSecurityException {
     verifyAsymmetricEc(projectId, locationId, keyRingId, keyId, keyVersionId, message, signature);
   }
 
+  // CPD-OFF
   // Verify the signature of a message signed with an RSA key.
   public void verifyAsymmetricEc(
       String projectId,