How can I permanently purge an entire azure keyvault that's been created with soft delete enabled?

7
votes

When you create an azure keyvault with soft delete enabled that keyvault persists even if you delete it and re-create it from scratch.

When soft-delete is enabled, resources marked as deleted resources are retained for a specified period (90 days by default). The service further provides a mechanism for recovering the deleted object, essentially undoing the deletion.

You also get this error message when you try and delete the keyvault though the UI:

The soft delete feature has been enabled on this key vault. After you soft delete this key vault, it will remain in your subscription as a hidden vault. It will get purged after the retention period you specified. You may purge it sooner, or restore the vault, using Azure Portal, Azure PowerShell, or Azure CLI. See this page for reference: https://docs.microsoft.com/azure/key-vault/key-vault-ovw-soft-delete

This is causing me issues in dev. I created a keyvault with soft delete enabled (by accident) and now I want to completely remove that keyvault and re-create it with different settings. Everytime I delete it and re-create it, it includes all the previous settings, keys, etc. I also can't create a keyvault, with the same name, with soft delete disabled. It complains that a keyvault with that name already exists (VaultAlreadyExists exception) and that the settings are not compatible.

The keyvault docs on MSDN(the link from the above message in Azure) mention how to permanently purge a soft delete but it's slightly euphemistic sentence isn't that helpful to me:

Permanently deleting, purging, a key vault is possible via a POST operation on the proxy resource and requires special privileges.

So how do I get rid of this thing?

2
azureazure-keyvaultazure-cli

2 Answers

13
votes

First thing to note, as I've subsequently found out, is that soft delete will be enabled by default by the end of this year. So the disabling of soft delete is now effectively deprecated. But I still wanted to completely delete my keyvault.

After doing a bit of digging in the azure cli I stumbled across this command:

az keyvault purge --name
                  [--location]
                  [--no-wait]
                  [--subscription]

So providing you are logged in with a user that has enough privilages to run this you can permanatly delete the entire key vault using the command:

az keyvault purge --name keyvaultname

This permanently and irrevocably removes the keyvault, all it's keys and settings. There doesn't seem to be a way in the Azure UI to do this without using the CLI or some other tool.

0
votes

You can also use Az PS. As per previous answer, this is assuming you have sufficient permissions to the subscription:

Remove-AzKeyVault -VaultName kvname -InRemovedState -Force -Location "Location"

Please see this for reference: https://docs.microsoft.com/en-us/powershell/module/az.keyvault/remove-azkeyvault?view=azps-5.7.0

Also, I used this reference to get the proper order of the parameters as I wasn't familiar with switch parameters and where they go. https://github.com/Azure/azure-powershell/issues/14012