Last updated on April 22nd, 2021
Azure KeyVault offers us something like ‘Soft delete’. This is a useful option as it keeps deleted keys, secrets, and certificates in KeyVault for a specified period of time. In the example below, it stores them for a period of 90 days. But sometimes the ‘Soft delete’ gets in the way.
If we make a mistake and enter the name of the secret in lowercase, and we would like to keep the nomenclature, we will not correct it in a simple way from the portal level.
Another case is when we accidentally deleted ‘The Secret’, we can’t restore it or recreate it using the portal.
The only solution is to restore or permanently delete a secret from KeyVault with CLI / PS.
Restoring a secret
A deleted secret can be restored to the last saved version. Unfortunately, its name cannot be changed. The following commands list the secrets removed and restore a secret called ‘secret-04’. When using commands, be sure to include your KeyVault name.
az keyvault secret list-deleted --vault-name KeyVault128463 az keyvault secret recover –name secret-04 --vault-name KeyVault128463
Permanent delete a secret
To change the case of letters or create a new secret with the same name, you must permanently delete it. Simple removal by portal.azure.com is not enough. In order to permanently remove the secret, we must have additional ‘Purge‘ permission. We can give them to ourselves through the portal.
Once we have the appropriate permissions, we can remove the secret. Only a deleted secret can be ‘permanently deleted’, for which the ‘az keyvault secret purge‘ command is used. So now we can finally create the correct version of the secret through the portal or CLI.
az keyvault secret delete --name secret-04 --vault-name KeyVault128463 az keyvault secret purge --name secret-04 --vault-name KeyVault128463 az keyvault secret set --name SECRET-04 --vault-name KeyVault128463 --value 'test'
Sometimes it takes a while between deleting and creating a new secret. More information about KeyVault and the ‘Soft delete’ can be found in the Microsoft documentation https://docs.microsoft.com/en-us/cli/azure/keyvault?view=azure-cli-latest