When you create an azure keyvault with soft delete enabled that keyvault persists even if you delete it and re-create it from scratch.
When soft-delete is enabled, resources marked as deleted resources are retained for a specified period (90 days by default). The service further provides a mechanism for recovering the deleted object, essentially undoing the deletion.
You also get this error message when you try and delete the keyvault though the UI:
The soft delete feature has been enabled on this key vault. After you soft delete this key vault, it will remain in your subscription as a hidden vault. It will get purged after the retention period you specified. You may purge it sooner, or restore the vault, using Azure Portal, Azure PowerShell, or Azure CLI. See this page for reference: https://learn.microsoft.com/azure/key-vault/key-vault-ovw-soft-delete
This is causing me issues in dev. I created a keyvault with soft delete enabled (by accident) and now I want to completely remove that keyvault and re-create it with different settings. Everytime I delete it and re-create it, it includes all the previous settings, keys, etc. I also can't create a keyvault, with the same name, with soft delete disabled. It complains that a keyvault with that name already exists (VaultAlreadyExists exception) and that the settings are not compatible.
The keyvault docs on MSDN(the link from the above message in Azure) mention how to permanently purge a soft delete but it's slightly euphemistic sentence isn't that helpful to me:
Permanently deleting, purging, a key vault is possible via a POST operation on the proxy resource and requires special privileges.
So how do I get rid of this thing?
First thing to note, as I've subsequently found out, is that soft delete will be enabled by default by any time now. So the disabling of soft delete is now effectively deprecated. But I still wanted to completely delete my keyvault.
After doing a bit of digging in the azure cli I stumbled across this command:
az keyvault purge --name
[--location]
[--no-wait]
[--subscription]
So providing you are logged in with a user that has enough privilages to run this you can permanatly delete the entire key vault using the command:
az keyvault purge --name keyvaultname
This permanently and irrevocably removes the keyvault, all it's keys and settings. There doesn't seem to be a way in the Azure UI to do this without using the CLI or some other tool. It seems this is supported in the UI as well now, see here:
- Log in to the Azure portal.
- Click on the search bar at the top of the page.
- Under "Recent Services" click "Key Vault". Do not click an individual key vault.
- At the top of the screen click the option to "Manage deleted vaults"
- A context pane will open on the right side of your screen.
- Select your subscription.
- If your key vault has been soft deleted it will appear in the context pane on the right.
- If there are too many vaults, you can either click "Load More" at the bottom of the context pane or use CLI or PowerShell to get the results.
- Once you find the vault you wish to recover or purge, select the checkbox next to it.
- Select the recover option at the bottom of the context pane if you would like to recover the key vault.
- Select the purge option if you would like to permanently delete the key vault.