One reason to keep it: Cosign, by default would create an ephemeral key for signing, if the user does not specify a KMS (with an existing stored key) to use. Although it may not be popular to have ephemeral keys with a KMS, I don't think it's invalid.

One detail, Cosign does not create ephemeral keys backed by KMS. Cosign either generates an ephemeral, in-memory key, or uses a provided key either in KMS, an HSM or on-disk.

The only place Cosign uses CreateKey is with cosign generate-key-pair, if a KMS resource is provided. Since it's a limited use case, removing CreateKey would likely have no impact. I might also argue that Cosign shouldn't support generating a key pair at all - either Cosign uses an ephemeral key, or you provide your own key.

@haydentherapper yes, I edited my comment to clarify: " if the user does not specify a KMS (with an existing stored key)"