Skip to content

Azure – KeyVault permanently delete a secret

Azure – KeyVault permanently delete a secret

Azure KeyVault offers us something like ‘Soft delete’. This is a useful option as it keeps deleted keys, secrets, and certificates in KeyVault for a specified period of time. In the example below, it stores them for a period of 90 days. But sometimes the ‘Soft delete’ gets in the way.

keyvault - create key vault

If we make a mistake and enter the name of the secret in lowercase, and we would like to keep the nomenclature, we will not correct it in a simple way from the portal level.

keyvault - secrets azure

Another case is when we accidentally deleted ‘The Secret’, we can’t restore it or recreate it using the portal.

keyvault -create a secret
keyvault - create secret error

The only solution is to restore or permanently delete a secret from KeyVault with CLI / PS.

Restoring a secret

A deleted secret can be restored to the last saved version. Unfortunately, its name cannot be changed. The following commands list the secrets removed and restore a secret called ‘secret-04’. When using commands, be sure to include your KeyVault name.

az keyvault secret list-deleted --vault-name KeyVault128463
az keyvault secret recover -–name secret-04 --vault-name KeyVault128463

Permanent delete a secret

To change the case of letters or create a new secret with the same name, you must permanently delete it. Simple removal by is not enough. In order to permanently remove the secret, we must have additional ‘Purge‘ permission. We can give them to ourselves through the portal.

keyvault - azure access policies

Once we have the appropriate permissions, we can remove the secret. Only a deleted secret can be ‘permanently deleted’, for which the ‘az keyvault secret purge‘ command is used. So now we can finally create the correct version of the secret through the portal or CLI.

az keyvault secret delete --name secret-04 --vault-name KeyVault128463
az keyvault secret purge --name secret-04 --vault-name KeyVault128463
az keyvault secret set --name SECRET-04 --vault-name KeyVault128463 --value 'test'

Sometimes it takes a while between deleting and creating a new secret. More information about KeyVault and the ‘Soft delete’ can be found in the Microsoft documentation

You can find more articles about Azure in the Azure_en category

4 thoughts on “Azure – KeyVault permanently delete a secret”

  1. Thankyou for this read! Small remark on the restoring part.
    az keyvault secret recover –name secret-04 –vault-name KeyVault128463 should be :
    az keyvault secret recover –-name secret-04 –vault-name KeyVault128463
    There was a – missing in front of the name argument.

Comments are closed.