27

When you create an azure keyvault with soft delete enabled that keyvault persists even if you delete it and re-create it from scratch.

When soft-delete is enabled, resources marked as deleted resources are retained for a specified period (90 days by default). The service further provides a mechanism for recovering the deleted object, essentially undoing the deletion.

You also get this error message when you try and delete the keyvault though the UI:

The soft delete feature has been enabled on this key vault. After you soft delete this key vault, it will remain in your subscription as a hidden vault. It will get purged after the retention period you specified. You may purge it sooner, or restore the vault, using Azure Portal, Azure PowerShell, or Azure CLI. See this page for reference: https://learn.microsoft.com/azure/key-vault/key-vault-ovw-soft-delete

This is causing me issues in dev. I created a keyvault with soft delete enabled (by accident) and now I want to completely remove that keyvault and re-create it with different settings. Everytime I delete it and re-create it, it includes all the previous settings, keys, etc. I also can't create a keyvault, with the same name, with soft delete disabled. It complains that a keyvault with that name already exists (VaultAlreadyExists exception) and that the settings are not compatible.

The keyvault docs on MSDN(the link from the above message in Azure) mention how to permanently purge a soft delete but it's slightly euphemistic sentence isn't that helpful to me:

Permanently deleting, purging, a key vault is possible via a POST operation on the proxy resource and requires special privileges.

So how do I get rid of this thing?

Liam
  • 27,717
  • 28
  • 128
  • 190

3 Answers3

58

First thing to note, as I've subsequently found out, is that soft delete will be enabled by default by any time now. So the disabling of soft delete is now effectively deprecated. But I still wanted to completely delete my keyvault.

After doing a bit of digging in the azure cli I stumbled across this command:

az keyvault purge --name
                  [--location]
                  [--no-wait]
                  [--subscription]

So providing you are logged in with a user that has enough privilages to run this you can permanatly delete the entire key vault using the command:

az keyvault purge --name keyvaultname

This permanently and irrevocably removes the keyvault, all it's keys and settings. There doesn't seem to be a way in the Azure UI to do this without using the CLI or some other tool. It seems this is supported in the UI as well now, see here:

  1. Log in to the Azure portal.
  2. Click on the search bar at the top of the page.
  3. Under "Recent Services" click "Key Vault". Do not click an individual key vault.
  4. At the top of the screen click the option to "Manage deleted vaults"
  5. A context pane will open on the right side of your screen.
  6. Select your subscription.
  7. If your key vault has been soft deleted it will appear in the context pane on the right.
  8. If there are too many vaults, you can either click "Load More" at the bottom of the context pane or use CLI or PowerShell to get the results.
  9. Once you find the vault you wish to recover or purge, select the checkbox next to it.
  10. Select the recover option at the bottom of the context pane if you would like to recover the key vault.
  11. Select the purge option if you would like to permanently delete the key vault.
Liam
  • 27,717
  • 28
  • 128
  • 190
  • still can't get around purge protection. you get a "(MethodNotAllowed) Operation 'DeletedVaultPurge' is not allowed." when you attemp. – Shawn Cicoria Feb 16 '21 at 14:41
  • sounds like you don't have purge permissions on the resource group @ShawnCicoria – Liam Feb 16 '21 at 14:50
  • 3
    `az keyvault purge --name mykv` == `No deleted Vault or HSM was found with name mykv`. Even though its still there. Azure is so unbelievably frustrating. – volvox Jul 25 '21 at 23:42
  • 1
    Make sure you're on the correct subscription when running that from the CLI ^. You can try from the Azure Portal now as well: https://learn.microsoft.com/en-us/azure/key-vault/general/key-vault-recovery?tabs=azure-portal – cody.codes Jul 26 '21 at 20:08
  • @volvox also, specify the --location parameter. – Skrymsli Nov 09 '22 at 21:16
  • UI worked for me. CLI did not work for me. – Sebastian Patten Feb 10 '23 at 15:18
10

You can also use Az PS. As per previous answer, this is assuming you have sufficient permissions to the subscription:

Remove-AzKeyVault -VaultName kvname -InRemovedState -Force -Location "Location"

Please see this for reference: https://learn.microsoft.com/en-us/powershell/module/az.keyvault/remove-azkeyvault?view=azps-5.7.0

Also, I used this reference to get the proper order of the parameters as I wasn't familiar with switch parameters and where they go. https://github.com/Azure/azure-powershell/issues/14012

KahlilG
  • 129
  • 1
  • 6
1

As of July, 2023. The command

az keyvault purge --name keyvaultname

will do the work. You can go to Azure cloud shell, and type the command. It will work if your user has the privileges.

Raw_Wish
  • 151
  • 1
  • 6