Operation 'DeletedVaultPurge' is not allowed - trying to purge Azure Key Vault

0
votes

I'm using my personal Azure account and Visual Studio Azure subscription where I'm Global Admin. I get the following error when I try to purge a soft-deleted Azure Key Vault.

Using Azure Power Shell:

Remove-AzKeyVault: Operation 'DeletedVaultPurge' is not allowed.

Using Azure CLI:

ValidationError: (MethodNotAllowed) Operation 'DeletedVaultPurge' is not allowed.

It looks like there is a permission that I don't have, even though I'm Global Admin. So what do I need to do in order to purge soft-deleted Key Vaults?

Here are the steps in Azure Power Shell (4.7.0) that I can use to reproduce the error:

First I create a Key Vault:

New-AzKeyVault -Name $keyVaultName -ResourceGroupName $resourceGroupName -Location $location -EnablePurgeProtection

Then I delete it.

Remove-AzKeyVault -Name $keyVaultName -ResourceGroupName $resourceGroupName

Then try to purge the soft-deleted Key Vault:

Remove-AzKeyVault -Name $keyVaultName -Location $location -InRemovedState -Force

Remove-AzKeyVault: Operation 'DeletedVaultPurge' is not allowed.

1
azureazure-powershellazure-keyvaultazure-cli

1 Answers

1
votes

The reason is that you have enabled the Purge protection when you create the keyvault.

Once the Purge protection is enabled, it's not allowed to delete it. Please refer to the doc for more details. I just pasted part of the doc as below:

When purge protection is turned on, a vault or an object in deleted state cannot be purged until the retention period has passed.

And please also note that, if the Purge protection is enabled, you cannot disable it. So during creating the key vault, please make sure the Purge protection is disabled, then try the command again.