Why can't I delete internal keystores?

You are not able to delete the internal KMS keystore through either UI or API.

You have destroyed all keys in the KMS keystore. However, when you try to delete the keystore, you still receive an error similar to one of the following:

The service was not able to delete keystore <keystore_name> because it still contains some keys. Conflict: Key ring could not be deleted: Please see reasons for more details.

The KMS key metadata is to be automatically removed in 90 days. Before that, the key metadata still remains in the keystore and you cannot delete the keystore.

Delete the internal KMS keystore after the key metadata gets removed automatically. Or, you can manually remove all key metadata using the KMS API in 4 hours after you destroy the key. Make sure that you have the KMS Key Purge role assigned. For more information about roles, see Managing user access.