Stay organized with collectionsSave and categorize content based on your preferences.
After we complete copying your data from all appliances, we recommend that you
remove the access previously granted to our service accounts. This applies the
practice of least privilege to your data and helps ensure your data's security.
This section describes:
Revoking our service accounts from accessing your Cloud Storage buckets.
Revoking our service accounts from accessing your Cloud KMS roles.
Destroying the Cloud KMS key used to encrypt your data on
Transfer Appliance.
Wait until we copy all of your data to Cloud Storage before completing the
steps below.
Once the Cloud KMS key is destroyed, any encrypted data on
Transfer Appliance cannot be recovered. Similarly, once you
revoke the service accounts from Cloud Storage buckets and the
Cloud KMS key, no further data can be copied from the appliance to your
Cloud Storage buckets.
Revoking Cloud KMS key access for the service account
Revoking Cloud KMS key access for the Transfer Appliance
service account ensures that we can no longer decrypt
Transfer Appliance data on your behalf.
To revoke Cloud KMS CryptoKey Decrypter and Cloud KMS
CryptoKey Public Key Viewer roles from the service account, follow these steps:
Google Cloud Console
Go to theCryptographic Keyspage in the
Google Cloud console.
KEY: The name of the Cloud Key Management Service key.
For example,ta-key.
KEY_RING: The key ring's name.
LOCATION: The Cloud Key Management Service location for the
key ring. For example,global.
PROJECT_ID: The Google Cloud project ID that
your key is under.
Revoking Cloud Storage bucket access for the service accounts
Revoking Cloud Storage bucket access for the
Transfer Appliance service accounts ensures that we can no
longer use Cloud Storage resources on your behalf.
To revoke Cloud Storage bucket access for the
Transfer Appliance service accounts, do the following:
Google Cloud Console
In the Google Cloud console, go to the Cloud StorageBucketspage.
Locate the Cloud Storage bucket that your data was copied to and
select the checkbox next to the bucket name.
ClickShow Info Panel.
The information panel is displayed.
In thePermissionstab, expandStorage Admin Role.
Locate the associated service accounts. There will be from 2 to 4 accounts
depending on your configuration. Service accounts are described inService account quick reference.
For each service account:
ClickdeleteDelete.
To confirm deletion, select the checkbox next to the service
account and clickRemove.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Clean up access\n\nAfter we complete copying your data from all appliances, we recommend that you\nremove the access previously granted to our service accounts. This applies the\npractice of least privilege to your data and helps ensure your data's security.\n\nThis section describes:\n\n- Revoking our service accounts from accessing your Cloud Storage buckets.\n- Revoking our service accounts from accessing your Cloud KMS roles.\n- Destroying the Cloud KMS key used to encrypt your data on Transfer Appliance.\n\nWait until we copy all of your data to Cloud Storage before completing the\nsteps below.\n| **Important:** If you are using the Cloud KMS key that you generated and shared with the Transfer Appliance Team for any other purpose, including for other appliances copying data or for use in your Cloud Storage bucket, do not destroy the key.\n\nOnce the Cloud KMS key is destroyed, any encrypted data on\nTransfer Appliance cannot be recovered. Similarly, once you\nrevoke the service accounts from Cloud Storage buckets and the\nCloud KMS key, no further data can be copied from the appliance to your\nCloud Storage buckets.\n\n### Revoking Cloud KMS key access for the service account\n\nRevoking Cloud KMS key access for the Transfer Appliance\nservice account ensures that we can no longer decrypt\nTransfer Appliance data on your behalf.\n| **Important:** If another transfer is in progress or if another appliance is using the same key, do not revoke Cloud KMS key access for the service account. Revoking access stops the transfer.\n\nTo revoke Cloud KMS CryptoKey Decrypter and Cloud KMS\nCryptoKey Public Key Viewer roles from the service account, follow these steps: \n\n### Google Cloud Console\n\n1. Go to the **Cryptographic Keys** page in the\n Google Cloud console.\n\n [Go to the Cryptographic Keys page](https://console.cloud.google.com/security/kms)\n2. Click the name of the key ring that contains the key used in\n [Prepare the Cloud KMS key](#prepare-keys).\n\n3. Select the checkbox for the key whose access you are revoking from\n the service account.\n\n4. Click **Show Info Panel**.\n\n The information panel is displayed.\n5. To revoke the **Cloud KMS CryptoKey Decrypter** role from the\n service account, do the following:\n\n 1. In the **Permissions** tab, expand **Cloud KMS CryptoKey Decrypter**.\n\n 2. Locate the service account. It looks like the following\n example:\n\n `service-`\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e`@gcp-sa-transferappliance.iam.gserviceaccount.com`\n\n In this example, \u003cvar translate=\"no\"\u003ePEOJECT_ID\u003c/var\u003e is the\n Google Cloud project ID that your key is under.\n 3. Click delete\n Delete.\n\n 4. In the delete window, select the service account and click **Remove**.\n\n6. To revoke the **Cloud KMS CryptoKey Public Key Viewer** role from\n the service account, do the following:\n\n 1. In the **Permissions** tab, expand the **Cloud KMS CryptoKey\n Public Key Viewer** role.\n\n 2. Locate the session service account. It looks like the following\n example:\n\n `service-`\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e`@gcp-sa-transferappliance.iam.gserviceaccount.com`\n\n In this example, \u003cvar translate=\"no\"\u003ePEOJECT_ID\u003c/var\u003e is the\n Google Cloud project ID that your key is under.\n 3. Click delete\n Delete.\n\n 4. In the delete window, select the checkbox next to the service account\n and click **Remove**.\n\n### Command line\n\n1. Run the following command to revoke the\n **roles/cloudkms.cryptoKeyDecrypter** role from the session service\n account:\n\n ```\n gcloud kms keys remove-iam-policy-binding KEY \\\n --keyring KEY_RING \\\n --location LOCATION \\\n --member=serviceAccount:service-PROJECT_ID@gcp-sa-transferappliance.iam.gserviceaccount.com \\\n --role roles/cloudkms.cryptoKeyDecrypter\n ```\n\n In this example:\n - \u003cvar translate=\"no\"\u003eKEY\u003c/var\u003e: The name of the Cloud Key Management Service key. For example, `ta-key`.\n - \u003cvar translate=\"no\"\u003eKEY_RING\u003c/var\u003e: The key ring's name.\n - \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: The Cloud Key Management Service location for the key ring. For example, `global`.\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: The Google Cloud project ID that your key is under.\n2. Run the following command to revoke the\n **roles/cloudkms.publicKeyViewer** role from the session service account:\n\n ```\n gcloud kms keys remove-iam-policy-binding KEY \\\n --keyring KEY_RING \\\n --location LOCATION \\\n --member=serviceAccount:service-PROJECT_ID@gcp-sa-transferappliance.iam.gserviceaccount.com \\\n --role roles/cloudkms.publicKeyViewer\n ```\n\n In this example:\n - \u003cvar translate=\"no\"\u003eKEY\u003c/var\u003e: The name of the Cloud Key Management Service key. For example, `ta-key`.\n - \u003cvar translate=\"no\"\u003eKEY_RING\u003c/var\u003e: The key ring's name.\n - \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: The Cloud Key Management Service location for the key ring. For example, `global`.\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: The Google Cloud project ID that your key is under.\n\n### Revoking Cloud Storage bucket access for the service accounts\n\nRevoking Cloud Storage bucket access for the\nTransfer Appliance service accounts ensures that we can no\nlonger use Cloud Storage resources on your behalf.\n| **Important:** If another transfer is in progress, do not revoke Cloud Storage bucket access for the Transfer Appliance service accounts. Revoking access for either service account stops the transfer.\n\nTo revoke Cloud Storage bucket access for the\nTransfer Appliance service accounts, do the following: \n\n### Google Cloud Console\n\n1. In the Google Cloud console, go to the Cloud Storage **Buckets** page. \n\n [Go to Buckets](https://console.cloud.google.com/storage/browser)\n2. Locate the Cloud Storage bucket that your data was copied to and\n select the checkbox next to the bucket name.\n\n3. Click **Show Info Panel**.\n\n The information panel is displayed.\n4. In the **Permissions** tab, expand **Storage Admin Role**.\n\n5. Locate the associated service accounts. There will be from 2 to 4 accounts\n depending on your configuration. Service accounts are described in\n [Service account quick reference](/transfer-appliance/docs/4.0/prepare-permissions#service_account_quick_reference).\n\n For each service account:\n 1. Click delete\n Delete.\n\n 2. To confirm deletion, select the checkbox next to the service\n account and click **Remove**.\n\n### Command line\n\nUse the [`gcloud storage buckets remove-iam-policy-binding`](/sdk/gcloud/reference/storage/buckets/remove-iam-policy-binding)\ncommand: \n\n```\ngcloud storage buckets remove-iam-policy-binding gs://BUCKET_NAME\\\n--member=serviceAccount:ta-SESSION_ID@transfer-appliance-zimbru.iam.gserviceaccount.com \\\n--role=roles/storage.admin\n``` \n\n```\ngcloud storage buckets remove-iam-policy-binding gs://BUCKET_NAME\\\n--member=serviceAccount:project-IDENTIFIER@storage-transfer-service.iam.gserviceaccount.com \\\n--role=roles/storage.admin\n```\n\nYou may have additional service accounts, depending on your configuration.\nRefer to the\n[Service account quick reference](/transfer-appliance/docs/4.0/prepare-permissions#service_account_quick_reference)\nfor details.\n\nIn this example:\n\n- \u003cvar translate=\"no\"\u003eSESSION_ID\u003c/var\u003e: The session ID for this particular transfer.\n- \u003cvar translate=\"no\"\u003eIDENTIFIER\u003c/var\u003e: A generated number specific to this particular project.\n- \u003cvar translate=\"no\"\u003eBUCKET_NAME\u003c/var\u003e: The name of your Cloud Storage bucket.\n\n### Destroying the Cloud KMS key\n\nDestroying the Cloud KMS key ensures that any data previously encrypted\nby the key can no longer be decrypted by anyone.\n| **Important:** If you are using the Cloud KMS key that you generated and shared with the Transfer Appliance Team for any other purpose, including for other appliances copying data or for use in your Cloud Storage bucket, do not destroy the key.\n\nFor more information about destroying keys, see [Destroying and restoring key\nversions](/kms/docs/destroy-restore).\n\nTo destroy the Cloud KMS key, do the following: \n\n### Google Cloud Console\n\n1. Go to the **Cryptographic Keys** page in the\n Google Cloud console.\n\n [Go to the Cryptographic Keys page](https://console.cloud.google.com/security/kms)\n2. Click the name of the key ring used to\n [Prepare the Cloud KMS key](#prepare-keys).\n\n3. Locate the row that contains the key you are destroying.\n\n4. Select\n more_vert **More\n \\\u003e Destroy**.\n\n A confirmation dialog is displayed.\n5. In the confirmation dialog, click **Schedule destruction**.\n\n### Command line\n\nUse the `gcloud kms keys version destroy` command: \n\n```\ngcloud kms keys versions destroy VERSION_NUMBER\n--keyring=KEY_RING \\\n--key=KEY --location=LOCATION \\\n--project=PROJECT_ID\n```\n\nIn this example:\n\n- \u003cvar translate=\"no\"\u003eVERSION_NUMBER\u003c/var\u003e: The key's version number.\n- \u003cvar translate=\"no\"\u003eKEY_RING\u003c/var\u003e: The name of your key ring.\n- \u003cvar translate=\"no\"\u003eKEY\u003c/var\u003e: The name of your asymmetric key.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: The Google Cloud location of the key ring.\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: The Google Cloud project ID that your key is under."]]
