I created a Key Vault using PowerShell and enabled it for Soft-Delete and Purge-Protection. I then created some Secrets and pushed them into the new Key Vault. The default Access Policy that gets created when the Key Vault is created gives my account all permissions on Keys, Secrets, and Certificates except for Purge. As expected, when I tried to delete the Secrets and then permanently remove them I got the Forbidden error. I then went and modified the Access Policy to give my account the Purge permission on Secrets thinking this would allow me to permanently delete the Secrets. However, even after giving my account Purge permissions I am still getting the Forbidden error when trying to permanently remove Secrets that are in InRemovedState.
1
votes
2 Answers
1
votes
If you just enable Soft-Delete, the Purge permission is enough. But if you also enable Purge-Protection, you need to wait for the retention days to delete the secret permanently, no matter what permissions you got.
Reference - Purge protection and Permitted purge.
Exceptions are:
- When the
--enable-purge-protectionflag is enabled on the vault itself. In this case, Key Vault will wait for 90 days from when the original secret object was marked for deletion to permanently delete the object.
By default, the retention period is 90 days, if it is necessary, you could set it from 7 to 90 via powershell. (The doc says once it is set and saved it cannot be changed, actually it can, just use the powershell)
$r = Get-AzResource -ResourceGroupName <group-name> -ResourceType Microsoft.KeyVault/vaults -Name <keyvault-name>
$r.Properties.softDeleteRetentionInDays = "7"
$r | Set-AzResource -Force
