When you create an azure keyvault with soft delete enabled that keyvault persists even if you delete it and re-create it from scratch.
When soft-delete is enabled, resources marked as deleted resources are retained for a specified period (90 days by default). The service further provides a mechanism for recovering the deleted object, essentially undoing the deletion.
You also get this error message when you try and delete the keyvault though the UI:
The soft delete feature has been enabled on this key vault. After you soft delete this key vault, it will remain in your subscription as a hidden vault. It will get purged after the retention period you specified. You may purge it sooner, or restore the vault, using Azure Portal, Azure PowerShell, or Azure CLI. See this page for reference: https://learn.microsoft.com/azure/key-vault/key-vault-ovw-soft-delete
This is causing me issues in dev. I created a keyvault with soft delete enabled (by accident) and now I want to completely remove that keyvault and re-create it with different settings. Everytime I delete it and re-create it, it includes all the previous settings, keys, etc. I also can't create a keyvault, with the same name, with soft delete disabled. It complains that a keyvault with that name already exists (VaultAlreadyExists
exception) and that the settings are not compatible.
The keyvault docs on MSDN(the link from the above message in Azure) mention how to permanently purge a soft delete but it's slightly euphemistic sentence isn't that helpful to me:
Permanently deleting, purging, a key vault is possible via a POST operation on the proxy resource and requires special privileges.
So how do I get rid of this thing?
Permanently deleting, purging, a key vault is possible via a POST operation on the proxy resource and requires special privileges. Generally, only the subscription owner will be able to purge a key vault. The POST operation triggers the immediate and irrecoverable deletion of that vault. When the Azure subscription has been marked as undeletable.
There are two features available during the creation of the resource that the cloud administrator should be aware of. They are purge protection and soft-delete. When we have those options configured, we cannot reuse Key Vault and Key Vault objects (secrets/keys and certificates) names before the period defined on the policy is reached.
The soft-delete allows the restore of entire vaults and vault objects for 90 days (maximum numbers of days). The purge protection is not enabled by default, but it forces that any deleted object cannot be purged from Azure, and they will remain in that status for 90 days (maximum number of days).
You cannot reuse the name of a key vault that has been soft-deleted until the retention period has passed. Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled. It can be turned on via CLI or PowerShell.
First thing to note, as I've subsequently found out, is that soft delete will be enabled by default by any time now. So the disabling of soft delete is now effectively deprecated. But I still wanted to completely delete my keyvault.
After doing a bit of digging in the azure cli I stumbled across this command:
az keyvault purge --name
[--location]
[--no-wait]
[--subscription]
So providing you are logged in with a user that has enough privilages to run this you can permanatly delete the entire key vault using the command:
az keyvault purge --name keyvaultname
This permanently and irrevocably removes the keyvault, all it's keys and settings. There doesn't seem to be a way in the Azure UI to do this without using the CLI or some other tool. It seems this is supported in the UI as well now, see here:
- Log in to the Azure portal.
- Click on the search bar at the top of the page.
- Under "Recent Services" click "Key Vault". Do not click an individual key vault.
- At the top of the screen click the option to "Manage deleted vaults"
- A context pane will open on the right side of your screen.
- Select your subscription.
- If your key vault has been soft deleted it will appear in the context pane on the right.
- If there are too many vaults, you can either click "Load More" at the bottom of the context pane or use CLI or PowerShell to get the results.
- Once you find the vault you wish to recover or purge, select the checkbox next to it.
- Select the recover option at the bottom of the context pane if you would like to recover the key vault.
- Select the purge option if you would like to permanently delete the key vault.
You can also use Az PS. As per previous answer, this is assuming you have sufficient permissions to the subscription:
Remove-AzKeyVault -VaultName kvname -InRemovedState -Force -Location "Location"
Please see this for reference: https://learn.microsoft.com/en-us/powershell/module/az.keyvault/remove-azkeyvault?view=azps-5.7.0
Also, I used this reference to get the proper order of the parameters as I wasn't familiar with switch parameters and where they go. https://github.com/Azure/azure-powershell/issues/14012
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With