diff --git a/.gitignore b/.gitignore
index 9cf44040..0a58283b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -40,9 +40,6 @@ tmp/
 *.tfstate
 *.tfstate.*
 
-# terraform lock
-*.terraform.lock.hcl
-
 # Ignore override files as they are usually used to override resources locally and so
 # are not checked in
 override.tf
diff --git a/client-lib/go/go.mod b/client-lib/go/go.mod
index eef28123..51f7cc0c 100644
--- a/client-lib/go/go.mod
+++ b/client-lib/go/go.mod
@@ -15,7 +15,6 @@ require (
 require (
 	cloud.google.com/go v0.102.0 // indirect
 	cloud.google.com/go/compute v1.6.1 // indirect
-	cloud.google.com/go/firestore v1.6.1 // indirect
 	cloud.google.com/go/iam v0.3.0 // indirect
 	cloud.google.com/go/kms v1.4.0 // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1 // indirect
@@ -39,7 +38,6 @@ require (
 	golang.org/x/oauth2 v0.0.0-20220524215830-622c5d57e401 // indirect
 	golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a // indirect
 	golang.org/x/text v0.3.7 // indirect
-	golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df // indirect
 	google.golang.org/api v0.82.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20220602131408-e326c6e8e9c8 // indirect
diff --git a/client-lib/go/go.sum b/client-lib/go/go.sum
index faeb3fc5..a709e633 100644
--- a/client-lib/go/go.sum
+++ b/client-lib/go/go.sum
@@ -44,8 +44,6 @@ cloud.google.com/go/compute v1.6.1 h1:2sMmt8prCn7DPaG4Pmh0N3Inmc8cT8ae5k1M6VJ9Wq
 cloud.google.com/go/compute v1.6.1/go.mod h1:g85FgpzFvNULZ+S8AYq87axRKuf2Kh7deLqV/jJ3thU=
 cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
 cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
-cloud.google.com/go/firestore v1.6.1 h1:8rBq3zRjnHx8UtBvaOWqBB1xq9jH6/wltfQLlTMh2Fw=
-cloud.google.com/go/firestore v1.6.1/go.mod h1:asNXNOzBdyVQmEU+ggO8UPodTkEVFW5Qx+rwHnAz+EY=
 cloud.google.com/go/iam v0.1.0/go.mod h1:vcUNEa0pEm0qRVpmWepWaFMIAI8/hjB9mO8rNCJtF6c=
 cloud.google.com/go/iam v0.3.0 h1:exkAomrVUuzx9kWFI1wm3KI0uoDeUFPB4kKGzx6x+Gc=
 cloud.google.com/go/iam v0.3.0/go.mod h1:XzJPvDayI+9zsASAFO68Hk07u3z+f+JrT2xXNdp4bnY=
@@ -102,7 +100,6 @@ github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.m
 github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0=
 github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
-github.com/fsnotify/fsnotify v1.5.4 h1:jRbGcIw6P2Meqdwuo0H1p6JVLbL5DHKAKlYndzMwVZI=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
@@ -200,7 +197,6 @@ github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+l
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
@@ -223,10 +219,6 @@ github.com/lestrrat-go/jwx/v2 v2.0.3 h1:9zeZGkbiVkiSuzRsy2SbQJdTuA/At1I2Hh9R/Gon
 github.com/lestrrat-go/jwx/v2 v2.0.3/go.mod h1:4tnab1l/rJWhxmtVsAtc2kr+pWGg72IcnWFk8gM0tLM=
 github.com/lestrrat-go/option v1.0.0 h1:WqAWL8kh8VcSoD6xjSH34/1m8yxluXQbDeKNfvFeEO4=
 github.com/lestrrat-go/option v1.0.0/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
-github.com/magiconair/properties v1.8.6 h1:5ibWZ6iY0NctNGWo87LalDlEZ6R41TqbbDamhfG/Qzo=
-github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
-github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8=
-github.com/pelletier/go-toml/v2 v2.0.1 h1:8e3L2cCQzLFi2CR4g7vGFuFxX7Jl1kKX8gW+iV0GUKU=
 github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@@ -238,11 +230,6 @@ github.com/sethvargo/go-envconfig v0.8.0 h1:AcmdAewSFAc7pQ1Ghz+vhZkilUtxX559QlDu
 github.com/sethvargo/go-envconfig v0.8.0/go.mod h1:Iz1Gy1Sf3T64TQlJSvee81qDhf7YIlt8GMUX6yyNFs0=
 github.com/sethvargo/go-gcpkms v0.1.0 h1:pyjDLqLwpk9pMjDSTilPpaUjgP1AfSjX9WGzitZwGUY=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
-github.com/spf13/afero v1.8.2 h1:xehSyVa0YnHWsJ49JFljMpg1HX19V6NDZ1fkm1Xznbo=
-github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w=
-github.com/spf13/jwalterweatherman v1.1.0 h1:ue6voC5bR5F8YxI5S67j9i582FU4Qvo2bmqnqMYADFk=
-github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
-github.com/spf13/viper v1.12.0 h1:CZ7eSOd3kZoaYDLbXnmzgQI5RlciuXBMA+18HwHRfZQ=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
@@ -252,7 +239,6 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.2 h1:4jaiDzPyXQvSd7D0EjG45355tLlV3VOECpq10pLC+8s=
 github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
-github.com/subosito/gotenv v1.3.0 h1:mjC+YW8QpAdXibNi+vNWgzmgBH4+5l5dCXv8cNysBLI=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
@@ -378,7 +364,6 @@ golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20211005180243-6b3c2da341f1/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
 golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
@@ -443,7 +428,6 @@ golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211210111614-af8b64212486/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -527,7 +511,6 @@ golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df h1:5Pf6pFKu98ODmgnpvkJ3kFUOQGGLIzLIkbzUHp47618=
 golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
@@ -558,7 +541,6 @@ google.golang.org/api v0.54.0/go.mod h1:7C4bFFOvVDGXjfDTAsgGwDgAxRDeQ4X8NvUedIt6
 google.golang.org/api v0.55.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE=
 google.golang.org/api v0.56.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE=
 google.golang.org/api v0.57.0/go.mod h1:dVPlbZyBo2/OjBpmvNdpn2GRm6rPy75jyU7bmhdrMgI=
-google.golang.org/api v0.59.0/go.mod h1:sT2boj7M9YJxZzgeZqXogmhfmRWDtPzT31xkieUbuZU=
 google.golang.org/api v0.61.0/go.mod h1:xQRti5UdCmoCEqFxcz93fTl338AVqDgyaDRuOZ3hg9I=
 google.golang.org/api v0.63.0/go.mod h1:gs4ij2ffTRXwuzzgJl/56BdwJaA194ijkfn++9tDuPo=
 google.golang.org/api v0.67.0/go.mod h1:ShHKP8E60yPsKNw/w8w+VYaj9H6buA5UqDp8dhbQZ6g=
@@ -635,8 +617,6 @@ google.golang.org/genproto v0.0.0-20210831024726-fe130286e0e2/go.mod h1:eFjDcFEc
 google.golang.org/genproto v0.0.0-20210903162649-d08c68adba83/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
 google.golang.org/genproto v0.0.0-20210909211513-a8c4777a87af/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
 google.golang.org/genproto v0.0.0-20210924002016-3dee208752a0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20211008145708-270636b82663/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20211028162531-8db9c33dc351/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
 google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
 google.golang.org/genproto v0.0.0-20211206160659-862468c7d6e0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
 google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
@@ -711,7 +691,6 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
-gopkg.in/ini.v1 v1.66.4 h1:SsAcf+mM7mRZo2nJNGt8mZCjG8ZRaNGMURJw7BsIST4=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
diff --git a/cmd/cert-rotation/main.go b/cmd/cert-rotation/main.go
index e02a1b41..1e15247d 100644
--- a/cmd/cert-rotation/main.go
+++ b/cmd/cert-rotation/main.go
@@ -25,7 +25,6 @@ import (
 	"time"
 
 	kms "cloud.google.com/go/kms/apiv1"
-	"github.com/abcxyz/jvs/pkg/cleanup"
 	"github.com/abcxyz/jvs/pkg/config"
 	"github.com/abcxyz/jvs/pkg/jvscrypto"
 	"github.com/abcxyz/pkg/logging"
@@ -82,7 +81,7 @@ func realMain(ctx context.Context) error {
 	if err != nil {
 		return fmt.Errorf("failed to setup kms client: %w", err)
 	}
-	defer cleanup.GracefulClose(logger, kmsClient)
+	defer kmsClient.Close()
 
 	config, err := config.LoadCryptoConfig(ctx, []byte{})
 	if err != nil {
diff --git a/cmd/justification/main.go b/cmd/justification/main.go
index 5e53cc1c..6bacb30c 100644
--- a/cmd/justification/main.go
+++ b/cmd/justification/main.go
@@ -21,10 +21,8 @@ import (
 	"os/signal"
 	"syscall"
 
-	"cloud.google.com/go/firestore"
 	kms "cloud.google.com/go/kms/apiv1"
 	jvspb "github.com/abcxyz/jvs/apis/v0"
-	"github.com/abcxyz/jvs/pkg/cleanup"
 	"github.com/abcxyz/jvs/pkg/config"
 	"github.com/abcxyz/jvs/pkg/justification"
 	"github.com/abcxyz/pkg/grpcutil"
@@ -36,10 +34,6 @@ import (
 	"google.golang.org/grpc/reflection"
 )
 
-const (
-	jvsKeyConfigPath = "jvs/key_config"
-)
-
 func main() {
 	ctx, done := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
 	defer done()
@@ -69,21 +63,13 @@ func realMain(ctx context.Context) error {
 	if err != nil {
 		return fmt.Errorf("failed to setup kms client: %w", err)
 	}
-	defer cleanup.GracefulClose(logger, kmsClient)
 
 	authHandler, err := grpcutil.NewJWTAuthenticationHandler(ctx, grpcutil.NoJWTAuthValidation())
 	if err != nil {
 		return fmt.Errorf("failed to setup grpc auth handler: %w", err)
 	}
 
-	firestoreClient, err := firestore.NewClient(ctx, cfg.FirestoreProjectID)
-	if err != nil {
-		return fmt.Errorf("failed to create Firestore client: %w", err)
-	}
-	defer cleanup.GracefulClose(logger, firestoreClient)
-
-	keyCfg := config.NewFirestoreConfig(firestoreClient, jvsKeyConfigPath)
-	p := justification.NewProcessor(kmsClient, keyCfg, cfg, authHandler)
+	p := justification.NewProcessor(kmsClient, cfg, authHandler)
 	jvsAgent := justification.NewJVSAgent(p)
 	jvspb.RegisterJVSServiceServer(s, jvsAgent)
 	reflection.Register(s)
diff --git a/cmd/manual-cert-actions/main.go b/cmd/manual-cert-actions/main.go
index bce570b8..4c51dc6a 100644
--- a/cmd/manual-cert-actions/main.go
+++ b/cmd/manual-cert-actions/main.go
@@ -24,7 +24,6 @@ import (
 
 	kms "cloud.google.com/go/kms/apiv1"
 	jvspb "github.com/abcxyz/jvs/apis/v0"
-	"github.com/abcxyz/jvs/pkg/cleanup"
 	"github.com/abcxyz/jvs/pkg/config"
 	"github.com/abcxyz/jvs/pkg/jvscrypto"
 	"github.com/abcxyz/pkg/logging"
@@ -64,7 +63,6 @@ func realMain(ctx context.Context) error {
 	if err != nil {
 		return fmt.Errorf("failed to setup kms client: %w", err)
 	}
-	defer cleanup.GracefulClose(logger, kmsClient)
 
 	handler := &jvscrypto.RotationHandler{
 		KMSClient:    kmsClient,
diff --git a/cmd/public-key/main.go b/cmd/public-key/main.go
index 49f8d4fa..5c0fac1b 100644
--- a/cmd/public-key/main.go
+++ b/cmd/public-key/main.go
@@ -24,8 +24,6 @@ import (
 	"syscall"
 	"time"
 
-	"github.com/abcxyz/jvs/pkg/cleanup"
-
 	kms "cloud.google.com/go/kms/apiv1"
 	"github.com/abcxyz/jvs/pkg/config"
 	"github.com/abcxyz/jvs/pkg/jvscrypto"
@@ -57,7 +55,7 @@ func realMain(ctx context.Context) error {
 	if err != nil {
 		return fmt.Errorf("failed to setup kms client: %w", err)
 	}
-	defer cleanup.GracefulClose(logger, kmsClient)
+	defer kmsClient.Close()
 
 	config, err := config.LoadPublicKeyConfig(ctx, []byte{})
 	if err != nil {
diff --git a/go.mod b/go.mod
index 3b67fbce..831e9618 100644
--- a/go.mod
+++ b/go.mod
@@ -3,7 +3,6 @@ module github.com/abcxyz/jvs
 go 1.18
 
 require (
-	cloud.google.com/go/firestore v1.6.1
 	cloud.google.com/go/kms v1.4.0
 	github.com/abcxyz/pkg v0.0.0-20220719233420-62c7b76c10e9
 	github.com/golang-jwt/jwt v3.2.2+incompatible
@@ -14,7 +13,6 @@ require (
 	github.com/sethvargo/go-envconfig v0.8.0
 	github.com/sethvargo/go-gcpkms v0.1.0
 	github.com/sethvargo/go-retry v0.2.3
-	github.com/spf13/afero v1.8.2
 	github.com/spf13/cobra v1.4.0
 	github.com/spf13/viper v1.12.0
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.32.0
@@ -52,6 +50,7 @@ require (
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.1 // indirect
+	github.com/spf13/afero v1.8.2 // indirect
 	github.com/spf13/cast v1.5.0 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
@@ -65,7 +64,6 @@ require (
 	golang.org/x/net v0.0.0-20220531201128-c960675eff93 // indirect
 	golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a // indirect
 	golang.org/x/text v0.3.7 // indirect
-	golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	gopkg.in/ini.v1 v1.66.4 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
diff --git a/go.sum b/go.sum
index b839f9b4..554e004d 100644
--- a/go.sum
+++ b/go.sum
@@ -47,8 +47,6 @@ cloud.google.com/go/compute v1.6.1 h1:2sMmt8prCn7DPaG4Pmh0N3Inmc8cT8ae5k1M6VJ9Wq
 cloud.google.com/go/compute v1.6.1/go.mod h1:g85FgpzFvNULZ+S8AYq87axRKuf2Kh7deLqV/jJ3thU=
 cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
 cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
-cloud.google.com/go/firestore v1.6.1 h1:8rBq3zRjnHx8UtBvaOWqBB1xq9jH6/wltfQLlTMh2Fw=
-cloud.google.com/go/firestore v1.6.1/go.mod h1:asNXNOzBdyVQmEU+ggO8UPodTkEVFW5Qx+rwHnAz+EY=
 cloud.google.com/go/iam v0.1.0/go.mod h1:vcUNEa0pEm0qRVpmWepWaFMIAI8/hjB9mO8rNCJtF6c=
 cloud.google.com/go/iam v0.3.0 h1:exkAomrVUuzx9kWFI1wm3KI0uoDeUFPB4kKGzx6x+Gc=
 cloud.google.com/go/iam v0.3.0/go.mod h1:XzJPvDayI+9zsASAFO68Hk07u3z+f+JrT2xXNdp4bnY=
@@ -427,7 +425,6 @@ golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20211005180243-6b3c2da341f1/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
 golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
@@ -497,7 +494,6 @@ golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211210111614-af8b64212486/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -583,7 +579,6 @@ golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df h1:5Pf6pFKu98ODmgnpvkJ3kFUOQGGLIzLIkbzUHp47618=
 golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
@@ -614,7 +609,6 @@ google.golang.org/api v0.54.0/go.mod h1:7C4bFFOvVDGXjfDTAsgGwDgAxRDeQ4X8NvUedIt6
 google.golang.org/api v0.55.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE=
 google.golang.org/api v0.56.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE=
 google.golang.org/api v0.57.0/go.mod h1:dVPlbZyBo2/OjBpmvNdpn2GRm6rPy75jyU7bmhdrMgI=
-google.golang.org/api v0.59.0/go.mod h1:sT2boj7M9YJxZzgeZqXogmhfmRWDtPzT31xkieUbuZU=
 google.golang.org/api v0.61.0/go.mod h1:xQRti5UdCmoCEqFxcz93fTl338AVqDgyaDRuOZ3hg9I=
 google.golang.org/api v0.63.0/go.mod h1:gs4ij2ffTRXwuzzgJl/56BdwJaA194ijkfn++9tDuPo=
 google.golang.org/api v0.67.0/go.mod h1:ShHKP8E60yPsKNw/w8w+VYaj9H6buA5UqDp8dhbQZ6g=
@@ -695,8 +689,6 @@ google.golang.org/genproto v0.0.0-20210831024726-fe130286e0e2/go.mod h1:eFjDcFEc
 google.golang.org/genproto v0.0.0-20210903162649-d08c68adba83/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
 google.golang.org/genproto v0.0.0-20210909211513-a8c4777a87af/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
 google.golang.org/genproto v0.0.0-20210924002016-3dee208752a0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20211008145708-270636b82663/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20211028162531-8db9c33dc351/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
 google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
 google.golang.org/genproto v0.0.0-20211206160659-862468c7d6e0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
 google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
diff --git a/pkg/cleanup/util.go b/pkg/cleanup/util.go
deleted file mode 100644
index d295efd1..00000000
--- a/pkg/cleanup/util.go
+++ /dev/null
@@ -1,29 +0,0 @@
-// Copyright 2022 Google LLC
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// Package cleanup provides files and methods related to clean up
-package cleanup
-
-import (
-	"io"
-
-	"go.uber.org/zap"
-)
-
-// GracefulClose calls Close() and logs the error if there is.
-func GracefulClose(logger *zap.SugaredLogger, c io.Closer) {
-	if err := c.Close(); err != nil {
-		logger.Errorf("failed to close: %v", err)
-	}
-}
diff --git a/pkg/config/jvs_config.go b/pkg/config/justification_config.go
similarity index 81%
rename from pkg/config/jvs_config.go
rename to pkg/config/justification_config.go
index 899724e3..79e72c1f 100644
--- a/pkg/config/jvs_config.go
+++ b/pkg/config/justification_config.go
@@ -25,10 +25,6 @@ import (
 	"gopkg.in/yaml.v2"
 )
 
-const (
-	JVSKeyNameField = "key_name"
-)
-
 // JustificationConfigVersions is the list of allowed versions for the
 // JustificationConfig.
 var JustificationConfigVersions = NewVersionList("1")
@@ -41,8 +37,9 @@ type JustificationConfig struct {
 	// Service configuration.
 	Port string `yaml:"port,omitempty" env:"PORT,overwrite,default=8080"`
 
-	// FirestoreProjectID is the ID of GCP project where the Firestore documents with the KMS key locates
-	FirestoreProjectID string `yaml:"firestore_project_id,omitempty" env:"FIRESTORE_PROJECT_ID,overwrite"`
+	// KeyName format: `projects/*/locations/*/keyRings/*/cryptoKeys/*`
+	// https://pkg.go.dev/google.golang.org/genproto/googleapis/cloud/kms/v1#CryptoKey
+	KeyName string `yaml:"key,omitempty" env:"KEY,overwrite"`
 
 	// SignerCacheTimeout is the duration that keys stay in cache before being revoked.
 	SignerCacheTimeout time.Duration `yaml:"signer_cache_timeout" env:"SIGNER_CACHE_TIMEOUT,overwrite,default=5m"`
@@ -64,10 +61,6 @@ func (cfg *JustificationConfig) Validate() error {
 		err = multierror.Append(err, fmt.Errorf("cache timeout must be a positive duration, got %s",
 			cfg.SignerCacheTimeout))
 	}
-
-	if cfg.FirestoreProjectID == "" {
-		err = multierror.Append(err, fmt.Errorf("firestore project id can't be empty"))
-	}
 	return err.ErrorOrNil()
 }
 
@@ -95,10 +88,3 @@ func loadJustificationConfigFromLookuper(ctx context.Context, b []byte, lookuper
 
 	return cfg, nil
 }
-
-// JVSKeyConfig is the config used for KMS Key storing in jvs.
-type JVSKeyConfig struct {
-	// KeyName format: `[projects/*/locations/*/keyRings/*/cryptoKeys/*]`
-	// mapstructure tag is used for fake remote config with viper
-	KeyName string `yaml:"key_name,omitempty" mapstructure:"key_name" firestore:"key_name,omitempty"`
-}
diff --git a/pkg/config/jvs_config_test.go b/pkg/config/justification_config_test.go
similarity index 85%
rename from pkg/config/jvs_config_test.go
rename to pkg/config/justification_config_test.go
index 5b371e92..aaaa020a 100644
--- a/pkg/config/jvs_config_test.go
+++ b/pkg/config/justification_config_test.go
@@ -51,7 +51,6 @@ func TestLoadJustificationConfig(t *testing.T) {
 	t.Parallel()
 	ctx := context.Background()
 
-	fakeFirestoreProjectID := "fakeProject"
 	tests := []struct {
 		name       string
 		cfg        string
@@ -64,27 +63,22 @@ func TestLoadJustificationConfig(t *testing.T) {
 			cfg: `
 port: 123
 version: 1
-firestore_project_id: fakeProject
 signer_cache_timeout: 1m
 issuer: jvs
 `,
 			wantConfig: &JustificationConfig{
 				Port:               "123",
 				Version:            "1",
-				FirestoreProjectID: fakeFirestoreProjectID,
 				SignerCacheTimeout: 1 * time.Minute,
 				Issuer:             "jvs",
 			},
 		},
 		{
 			name: "test_default",
-			cfg: `
-firestore_project_id: fakeProject
-`,
+			cfg:  ``,
 			wantConfig: &JustificationConfig{
 				Port:               "8080",
 				Version:            "1",
-				FirestoreProjectID: fakeFirestoreProjectID,
 				SignerCacheTimeout: 5 * time.Minute,
 				Issuer:             "jvs.abcxyz.dev",
 			},
@@ -93,7 +87,6 @@ firestore_project_id: fakeProject
 			name: "test_wrong_version",
 			cfg: `
 version: 255
-firestore_project_id: fakeProject
 `,
 			wantConfig: nil,
 			wantErr:    `version "255" is invalid, valid versions are:`,
@@ -102,42 +95,27 @@ firestore_project_id: fakeProject
 			name: "test_invalid_signer_cache_timeout",
 			cfg: `
 signer_cache_timeout: -1m
-firestore_project_id: fakeProject
 `,
 			wantConfig: nil,
 			wantErr:    `cache timeout must be a positive duration, got -1m0s`,
 		},
-		{
-			name: "test_blank_project_id",
-			cfg: `
-port: 123
-version: 1
-signer_cache_timeout: 1m
-issuer: jvs
-`,
-			wantConfig: nil,
-			wantErr:    "firestore project id can't be empty",
-		},
 		{
 			name: "all_values_specified_env_override",
 			cfg: `
 version: 1
 port: 8080
-firestore_project_id: fakeProject
 signer_cache_timeout: 1m
 issuer: jvs
 `,
 			envs: map[string]string{
 				"JVS_VERSION":              "1",
 				"JVS_PORT":                 "tcp",
-				"JVS_FIRESTORE_PROJECT_ID": "fakeProject1",
 				"JVS_SIGNER_CACHE_TIMEOUT": "2m",
 				"JVS_ISSUER":               "other",
 			},
 			wantConfig: &JustificationConfig{
 				Version:            "1",
 				Port:               "tcp",
-				FirestoreProjectID: "fakeProject1",
 				SignerCacheTimeout: 2 * time.Minute,
 				Issuer:             "other",
 			},
diff --git a/pkg/config/remote_config.go b/pkg/config/remote_config.go
deleted file mode 100644
index 51c51cd0..00000000
--- a/pkg/config/remote_config.go
+++ /dev/null
@@ -1,82 +0,0 @@
-// Copyright 2022 Google LLC
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package config
-
-import (
-	"context"
-	"fmt"
-
-	"cloud.google.com/go/firestore"
-)
-
-// RemoteConfig for remote support of reading/writing config.
-type RemoteConfig interface {
-	// Unmarshal read remote config and store the result in the value pointed to by 'data'.
-	Unmarshal(ctx context.Context, data any) error
-
-	// Get get remote config by 'key'.
-	Get(ctx context.Context, key string) (any, error)
-
-	// Set set remote config by 'key', accepts simpler form of field path as a string in which the individual fields are separated by dots as the key.
-	Set(ctx context.Context, key string, value any) error
-}
-
-// FirestoreConfig for support of reading/writing config in Firestore.
-type FirestoreConfig struct {
-	client      *firestore.Client
-	docFullPath string
-}
-
-// NewFirestoreConfig allocates and returns a new FirestoreConfig which is used to reading/writing config stored at location pointed by `docFullPath`.
-func NewFirestoreConfig(client *firestore.Client, docFullPath string) *FirestoreConfig {
-	return &FirestoreConfig{
-		client:      client,
-		docFullPath: docFullPath,
-	}
-}
-
-// Unmarshal read the whole firestore document and store the result in the value pointed to by 'data'.
-func (cfg *FirestoreConfig) Unmarshal(ctx context.Context, data any) error {
-	snap, err := cfg.client.Doc(cfg.docFullPath).Get(ctx)
-	if err != nil {
-		return fmt.Errorf("failed to read from FireStore Doc %s: %w", cfg.docFullPath, err)
-	}
-	if err = snap.DataTo(data); err != nil {
-		return fmt.Errorf("failed to use firestore document's fields to populate struct: %w", err)
-	}
-	return nil
-}
-
-// Get get firestore document's field by 'key'.
-func (cfg *FirestoreConfig) Get(ctx context.Context, key string) (any, error) {
-	snap, err := cfg.client.Doc(cfg.docFullPath).Get(ctx)
-	if err != nil {
-		return nil, fmt.Errorf("failed to read from FireStore Doc %s: %w", cfg.docFullPath, err)
-	}
-	value, err := snap.DataAt(key)
-	if err != nil {
-		return nil, fmt.Errorf("failed to read from FireStore Doc %s Key %s: %w", cfg.docFullPath, key, err)
-	}
-	return value, nil
-}
-
-// Set set firestore document's field by 'key', accepts simpler form of field path as a string in which the individual fields are separated by dots as the key.
-func (cfg *FirestoreConfig) Set(ctx context.Context, key string, value any) error {
-	doc := cfg.client.Doc(cfg.docFullPath)
-	if _, err := doc.Update(ctx, []firestore.Update{{Path: key, Value: value}}); err != nil {
-		return fmt.Errorf("failed to update remote config with key %s: %w", key, err)
-	}
-	return nil
-}
diff --git a/pkg/justification/processor.go b/pkg/justification/processor.go
index 48775a07..d331d9dd 100644
--- a/pkg/justification/processor.go
+++ b/pkg/justification/processor.go
@@ -40,7 +40,6 @@ import (
 type Processor struct {
 	jvspb.UnimplementedJVSServiceServer
 	kms         *kms.KeyManagementClient
-	keyConfig   config.RemoteConfig
 	config      *config.JustificationConfig
 	cache       *cache.Cache[*signerWithID]
 	authHandler *grpcutil.JWTAuthenticationHandler
@@ -52,12 +51,10 @@ type signerWithID struct {
 }
 
 // NewProcessor creates a processor with the signer cache initialized.
-func NewProcessor(kms *kms.KeyManagementClient, keyConfig config.RemoteConfig, config *config.JustificationConfig, authHandler *grpcutil.JWTAuthenticationHandler) *Processor {
+func NewProcessor(kms *kms.KeyManagementClient, config *config.JustificationConfig, authHandler *grpcutil.JWTAuthenticationHandler) *Processor {
 	cache := cache.New[*signerWithID](config.SignerCacheTimeout)
-
 	return &Processor{
 		kms:         kms,
-		keyConfig:   keyConfig,
 		config:      config,
 		cache:       cache,
 		authHandler: authHandler,
@@ -101,11 +98,7 @@ func (p *Processor) CreateToken(ctx context.Context, request *jvspb.CreateJustif
 }
 
 func (p *Processor) getLatestSigner(ctx context.Context) (*signerWithID, error) {
-	keyName, err := p.keyConfig.Get(ctx, config.JVSKeyNameField)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get remoteConfig: %w", err)
-	}
-	ver, err := jvscrypto.GetLatestKeyVersion(ctx, p.kms, keyName.(string))
+	ver, err := jvscrypto.GetLatestKeyVersion(ctx, p.kms, p.config.KeyName)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get key version, %w", err)
 	}
diff --git a/pkg/justification/processor_test.go b/pkg/justification/processor_test.go
index 7e6e60da..107c98d6 100644
--- a/pkg/justification/processor_test.go
+++ b/pkg/justification/processor_test.go
@@ -42,7 +42,6 @@ import (
 	"google.golang.org/grpc/metadata"
 	"google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/types/known/durationpb"
-	"gopkg.in/yaml.v2"
 )
 
 type MockJWTAuthHandler struct {
@@ -134,19 +133,10 @@ func TestCreateToken(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	jvsKeyConfig := config.JVSKeyConfig{KeyName: key}
-	configBytes, err := yaml.Marshal(jvsKeyConfig)
-	if err != nil {
-		t.Fatal(err)
-	}
-	keyConfig, err := testutil.NewFakeRemoteConfig(string(configBytes), "yaml")
-	if err != nil {
-		t.Fatalf("failed to create mock remote config: %v", err)
-	}
 
-	processor := NewProcessor(c, keyConfig, &config.JustificationConfig{
-		FirestoreProjectID: "fakeProject",
+	processor := NewProcessor(c, &config.JustificationConfig{
 		Version:            "1",
+		KeyName:            key,
 		SignerCacheTimeout: 5 * time.Minute,
 		Issuer:             "test-iss",
 	}, authHandler)
diff --git a/pkg/testutil/remote_config_fake.go b/pkg/testutil/remote_config_fake.go
deleted file mode 100644
index ea05f552..00000000
--- a/pkg/testutil/remote_config_fake.go
+++ /dev/null
@@ -1,59 +0,0 @@
-// Copyright 2022 Google LLC
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// Package testutil provides utilities that are intended to enable easier
-// and more concise writing of unit test code.
-package testutil
-
-import (
-	"bytes"
-	"context"
-
-	"github.com/spf13/afero"
-	"github.com/spf13/viper"
-)
-
-// FakeRemoteConfig in memory viper implementation of interface `RemoteConfig`.
-type FakeRemoteConfig struct {
-	configType string
-	v          *viper.Viper
-}
-
-// NewFakeRemoteConfig allocates and returns a new FakeRemoteConfig which is used to reading/writing config stored at location pointed by `fileName`.
-func NewFakeRemoteConfig(str, configType string) (*FakeRemoteConfig, error) {
-	v := viper.New()
-	fs := afero.NewMemMapFs()
-	v.SetFs(fs)
-	v.SetConfigType(configType)
-	if err := v.ReadConfig(bytes.NewBuffer([]byte(str))); err != nil {
-		return nil, err
-	}
-	return &FakeRemoteConfig{configType: configType, v: v}, nil
-}
-
-// Unmarshal read the whole document and store the result in the value pointed to by 'data'.
-func (m *FakeRemoteConfig) Unmarshal(ctx context.Context, data any) error {
-	return m.v.Unmarshal(data)
-}
-
-// Get get document's field by 'key'.
-func (m *FakeRemoteConfig) Get(ctx context.Context, key string) (any, error) {
-	return m.v.Get(key), nil
-}
-
-// Set set document's field by 'key', accepts simpler form of field path as a string in which the individual fields are separated by dots as the key.
-func (m *FakeRemoteConfig) Set(ctx context.Context, key string, value any) error {
-	m.v.Set(key, value)
-	return nil
-}
diff --git a/pkg/testutil/remote_config_fake_test.go b/pkg/testutil/remote_config_fake_test.go
deleted file mode 100644
index e88db322..00000000
--- a/pkg/testutil/remote_config_fake_test.go
+++ /dev/null
@@ -1,74 +0,0 @@
-package testutil
-
-import (
-	"context"
-	"testing"
-
-	"github.com/abcxyz/jvs/pkg/config"
-	"github.com/google/go-cmp/cmp"
-	"gopkg.in/yaml.v2"
-)
-
-func TestUnmarshal(t *testing.T) {
-	t.Parallel()
-	ctx := context.Background()
-
-	keyName := "projects/fake_project/locations/us-west-1/keyRings/test-key-ring/cryptoKeys/test-key"
-	jvsKeyConfig := config.JVSKeyConfig{KeyName: keyName}
-	keyCfg, err := NewFakeRemoteConfig(testYAMLStr(t, jvsKeyConfig), "yaml")
-	if err != nil {
-		t.Fatalf("failed to create fake remote config: %v", err)
-	}
-
-	var gotJVSKeyConfig config.JVSKeyConfig
-	if err = keyCfg.Unmarshal(ctx, &gotJVSKeyConfig); err != nil {
-		t.Errorf("unexpected error when unmarshaling : %v", err)
-		return
-	}
-	if diff := cmp.Diff(gotJVSKeyConfig, jvsKeyConfig); diff != "" {
-		t.Errorf("Got diff (-want, +got): %v", diff)
-	}
-}
-
-func TestGetAndSet(t *testing.T) {
-	t.Parallel()
-	ctx := context.Background()
-
-	keyName := "projects/fake_project/locations/us-west-1/keyRings/test-key-ring/cryptoKeys/test-key"
-	jvsKeyConfig := config.JVSKeyConfig{KeyName: keyName}
-	keyCfg, err := NewFakeRemoteConfig(testYAMLStr(t, jvsKeyConfig), "yaml")
-	if err != nil {
-		t.Fatalf("failed to create fake remote config: %v", err)
-	}
-	gotKeyName, err := keyCfg.Get(ctx, config.JVSKeyNameField)
-	if err != nil {
-		t.Errorf("unexpected error when getting field : %v", err)
-		return
-	}
-	if diff := cmp.Diff(gotKeyName, keyName); diff != "" {
-		t.Errorf("Got diff (-want, +got): %v", diff)
-	}
-
-	updatedFakeKeyName := "test-key"
-	if err = keyCfg.Set(ctx, config.JVSKeyNameField, updatedFakeKeyName); err != nil {
-		t.Errorf("unexpected error when setting field : %v", err)
-		return
-	}
-	gotUpdatedKeyName, err := keyCfg.Get(ctx, config.JVSKeyNameField)
-	if err != nil {
-		t.Errorf("unexpected error when getting field : %v", err)
-		return
-	}
-	if diff := cmp.Diff(gotUpdatedKeyName, updatedFakeKeyName); diff != "" {
-		t.Errorf("Got diff (-want, +got): %v", diff)
-	}
-}
-
-func testYAMLStr(tb testing.TB, in interface{}) string {
-	tb.Helper()
-	inBytes, err := yaml.Marshal(in)
-	if err != nil {
-		tb.Fatalf("failed to marshal: %v", err)
-	}
-	return string(inBytes)
-}
diff --git a/scripts/integration_build.sh b/scripts/integration_build.sh
index 79b7b126..9f16f0d7 100755
--- a/scripts/integration_build.sh
+++ b/scripts/integration_build.sh
@@ -20,7 +20,6 @@ printf "Argument keyring_id is %s\n" "${KEYRING_ID}"
 
 export TEST_JVS_KMS_KEY_RING="projects/${PROJECT_ID}/locations/global/keyRings/${KEYRING_ID}"
 export TEST_JVS_INTEGRATION=true
-export TEST_JVS_FIRESTORE_PROJECT_ID=${PROJECT_ID}
 
 cd ${ROOT}
-go clean -testcache && go test ./test/integ/...
+go test ./test/integ/...
diff --git a/test/integ/main_test.go b/test/integ/main_test.go
index 751ff544..4d9b6f60 100644
--- a/test/integ/main_test.go
+++ b/test/integ/main_test.go
@@ -31,7 +31,6 @@ import (
 	"testing"
 	"time"
 
-	"cloud.google.com/go/firestore"
 	kms "cloud.google.com/go/kms/apiv1"
 	jvspb "github.com/abcxyz/jvs/apis/v0"
 	"github.com/abcxyz/jvs/pkg/config"
@@ -64,12 +63,6 @@ func TestJVS(t *testing.T) {
 	if keyRing == "" {
 		t.Fatal("Key ring must be provided using TEST_JVS_KMS_KEY_RING env variable.")
 	}
-	fireStoreProjectID := os.Getenv("TEST_JVS_FIRESTORE_PROJECT_ID")
-	if keyRing == "" {
-		t.Fatal("Firestore project id must be provided using TEST_JVS_FIRESTORE_PROJECT_ID env variable.")
-	}
-	// TODO(#94): Use unique firestore path to avoid conflicts in integ tests.
-	justificationConfigFullPath := "jvs/key_config"
 
 	kmsClient, err := kms.NewKeyManagementClient(ctx)
 	if err != nil {
@@ -87,7 +80,7 @@ func TestJVS(t *testing.T) {
 
 	cfg := &config.JustificationConfig{
 		Version:            "1",
-		FirestoreProjectID: fireStoreProjectID,
+		KeyName:            keyName,
 		Issuer:             "ci-test",
 		SignerCacheTimeout: 1 * time.Nanosecond, // no caching
 	}
@@ -120,21 +113,7 @@ func TestJVS(t *testing.T) {
 		"authorization": "Bearer " + validJWT,
 	}))
 
-	firestoreClient, err := firestore.NewClient(ctx, cfg.FirestoreProjectID)
-	if err != nil {
-		t.Fatalf("failed to create Firestore client: %v", err)
-	}
-
-	testCreateRemoteConfig(ctx, t, firestoreClient, justificationConfigFullPath, config.JVSKeyConfig{KeyName: keyName})
-	t.Cleanup(func() {
-		testCleanUpRemoteConfig(ctx, t, firestoreClient, justificationConfigFullPath)
-		if err := firestoreClient.Close(); err != nil {
-			t.Errorf("clean up of firestore client failed: %v", err)
-		}
-	})
-
-	fireStoreRemoteConfig := config.NewFirestoreConfig(firestoreClient, justificationConfigFullPath)
-	p := justification.NewProcessor(kmsClient, fireStoreRemoteConfig, cfg, authHandler)
+	p := justification.NewProcessor(kmsClient, cfg, authHandler)
 	jvsAgent := justification.NewJVSAgent(p)
 
 	tests := []struct {
@@ -921,17 +900,3 @@ func testValidatePublicKeys(ctx context.Context, tb testing.TB, ks *jvscrypto.Ke
 		tb.Errorf("GotPublicKeys diff (-want, +got): %v", diff)
 	}
 }
-
-func testCreateRemoteConfig(ctx context.Context, tb testing.TB, firestoreClient *firestore.Client, docFullPath string, data interface{}) {
-	tb.Helper()
-	if _, err := firestoreClient.Doc(docFullPath).Create(ctx, data); err != nil {
-		tb.Fatalf("failed to create remote config at path %v with error %v", docFullPath, err)
-	}
-}
-
-func testCleanUpRemoteConfig(ctx context.Context, tb testing.TB, firestoreClient *firestore.Client, docFullPath string) {
-	tb.Helper()
-	if _, err := firestoreClient.Doc(docFullPath).Delete(ctx); err != nil {
-		tb.Errorf("failed to cleanup remote config at path %v with error %v", docFullPath, err)
-	}
-}