Azure – KeyVault permanently delete a secret

Azure – KeyVault permanently delete a secret

Last updated on April 22nd, 2021

Azure KeyVault offers us something like ‘Soft delete’. This is a useful option as it keeps deleted keys, secrets, and certificates in KeyVault for a specified period of time. In the example below, it stores them for a period of 90 days. But sometimes the ‘Soft delete’ gets in the way.

create KeyVault

If we make a mistake and enter the name of the secret in lowercase, and we would like to keep the nomenclature, we will not correct it in a simple way from the portal level.

Azure KeyVault  secrets

Another case is when we accidentally deleted ‘The Secret’, we can’t restore it or recreate it using the portal.

Azure Key Vault create secret
Azure creating secret error

The only solution is to restore or permanently delete a secret from KeyVault with CLI / PS.

Restoring a secret

A deleted secret can be restored to the last saved version. Unfortunately, its name cannot be changed. The following commands list the secrets removed and restore a secret called ‘secret-04’. When using commands, be sure to include your KeyVault name.

az keyvault secret list-deleted --vault-name KeyVault128463
az keyvault secret recover –name secret-04 --vault-name KeyVault128463

Permanent delete a secret

To change the case of letters or create a new secret with the same name, you must permanently delete it. Simple removal by portal.azure.com is not enough. In order to permanently remove the secret, we must have additional ‘Purge‘ permission. We can give them to ourselves through the portal.

Azure KeyVault add permission

Once we have the appropriate permissions, we can remove the secret. Only a deleted secret can be ‘permanently deleted’, for which the ‘az keyvault secret purge‘ command is used. So now we can finally create the correct version of the secret through the portal or CLI.

az keyvault secret delete --name secret-04 --vault-name KeyVault128463
az keyvault secret purge --name secret-04 --vault-name KeyVault128463
az keyvault secret set --name SECRET-04 --vault-name KeyVault128463 --value 'test'

Sometimes it takes a while between deleting and creating a new secret. More information about KeyVault and the ‘Soft delete’ can be found in the Microsoft documentation https://docs.microsoft.com/en-us/cli/azure/keyvault?view=azure-cli-latest

You can find more articles about Azure in the Azure_en category https://lepczynski.it/en/category/azure_en/

2 thoughts on “Azure – KeyVault permanently delete a secret”

Leave a Reply

Your email address will not be published. Required fields are marked *