Azure KeyVault offers us something like ‘Soft delete’. This is a useful option as it keeps deleted keys, secrets, and certificates in KeyVault for a specified period of time. In the example below, it stores them for a period of 90 days. But sometimes the ‘Soft delete’ gets in the way.
If we make a mistake and enter the name of the secret in lowercase, and we would like to keep the nomenclature, we will not correct it in a simple way from the portal level.
Another case is when we accidentally deleted ‘The Secret’, we can’t restore it or recreate it using the portal.
The only solution is to restore or permanently delete a secret from KeyVault with CLI / PS.
Restoring a secret
A deleted secret can be restored to the last saved version. Unfortunately, its name cannot be changed. The following commands list the secrets removed and restore a secret called ‘secret-04’. When using commands, be sure to include your KeyVault name.
az keyvault secret list-deleted --vault-name KeyVault128463
az keyvault secret recover -–name secret-04 --vault-name KeyVault128463
Permanent delete a secret
To change the case of letters or create a new secret with the same name, you must permanently delete it. Simple removal by portal.azure.com is not enough. In order to permanently remove the secret, we must have additional ‘Purge‘ permission. We can give them to ourselves through the portal.
Once we have the appropriate permissions, we can remove the secret. Only a deleted secret can be ‘permanently deleted’, for which the ‘az keyvault secret purge‘ command is used. So now we can finally create the correct version of the secret through the portal or CLI.
az keyvault secret delete --name secret-04 --vault-name KeyVault128463
az keyvault secret purge --name secret-04 --vault-name KeyVault128463
az keyvault secret set --name SECRET-04 --vault-name KeyVault128463 --value 'test'
Sometimes it takes a while between deleting and creating a new secret. More information about KeyVault and the ‘Soft delete’ can be found in the Microsoft documentation https://docs.microsoft.com/en-us/cli/azure/keyvault?view=azure-cli-latest
You can find more articles about Azure in the Azure_en category https://lepczynski.it/en/category/azure_en/
Good stuff
Hi Rushdeep. Thanks for reading!
Thankyou for this read! Small remark on the restoring part.
az keyvault secret recover –name secret-04 –vault-name KeyVault128463 should be :
az keyvault secret recover –-name secret-04 –vault-name KeyVault128463
There was a – missing in front of the name argument.
Thanks Dylan for the info, I actually missed it while editing. I will correct it as soon as posible. Thanks !!
Comments are closed.