- Create and manage append blobs with PowerShell - Wed, Oct 12 2022
- Permanently delete a Key Vault in Azure using PowerShell - Fri, Feb 4 2022
- Restore Azure Files with PowerShell - Fri, Jan 28 2022
Soft-delete and Purge Protection
Soft-delete is a Key Vault feature that allows us to recover deleted keys, secrets, and certificates, as well as the entire set of Key Vault resources within the retention period, which can be configured to between 7 and 90 days.
When you create a Key Vault in Azure Portal, soft-delete is enabled by default, and you cannot disable it. This means that every Key Vault has to be created with soft-delete enabled. It is also important to note that the name used on the soft-deleted Key Vault cannot be reused with a new Key Vault until the retention period is finished.
Soft delete is enabled by default on Key Vaults
Purge protection is another feature of Key Vaults that is used to protect deleted Key Vaults for a certain period, called the "retention period." Once enabled, purge protection prevents deleted key vaults from being purged until the retention period has been reached. This selection cannot be changed once the Key Vault is created.
If a Key Vault is created with purge protection, you can still delete it, but you will not be able to purge it once it is deleted. In this case, the deleted Key Vaults will have to wait for 90 days to pass to be permanently purged.
Purging a deleted Key Vault
To purge a Key Vault, we first need to make sure that the Key Vault has already been deleted. That is, the Key Vault should be deleted first, using the command below, and then purged afterwards.
Remove-AzKeyVault -VaultName testvault2000 -Location 'West Europe' -Force
Now, we can move on to the next step, which is to purge the deleted Key Vault. First, we need to make sure that purge protection is not enabled on the Key Vault to be purged. Key Vaults can be either purged or recovered in the main Key Vaults section in Azure Portal, where deleted Key Vaults are also displayed.
Deleted kay vaults can be seen in Azure Portal
The purge option can only be used when the Key Vault is not protected with purge protection.
Recover and purge operations in Azure Portal
If you try to purge a protected Key Vault in Azure Portal, you'll get the following error.
Failed to purge key vault "testvault3000" of subscription "2021." Operation 'deletedvaultpurge' is not allowed. Please check if this vault has purge protection turned on, and make sure you have the correct permissions.
Error message when trying to purge a protected key vault in Azure Portal
If you try to do the same via PowerShell, you'll get this:
Remove-AzKeyVault -VaultName testvault2000 -InRemovedState -Force -Location 'West Europe'
Remove-AzKeyVault: Operation 'DeletedVaultPurge' is not allowed
Error message when trying to purge a protected key vault via PowerShell
Permission model on Key Vaults
When it comes to managing Key Vaults for any operation, there are two permission models that need to be followed. Resource permissions grant a user, group, or service principal access over an Azure Resource such as a storage account, Key Vault, virtual machine, database, etc.
- RBAC permissions: Regular Azure resource permissions, such as Contributor, Reader, Owner, Key Vault Contributor, etc. This is needed to access and manage the actual Key Vault resource in Azure.
- Access Policy permissions: Even if you have Owner permission on a Key Vault, you still need Access Policy permissions for each item (e.g., keys, secrets, etc.). Each item has its own set of permissions defined in the Access Policy section.
Note that to perform a purge operation on a Key Vault, the user account that you're currently logged in with needs the following resource permissions on the Key Vault object before purging it. "Owner," "Contributor," and "Key Vault Contributor" built-in roles have this permission by default.
Microsoft.KeyVault/locations/deletedVaults/purge/action
Here is an example of Key Vault resource permissions. If I need a Key Vault Secret User role to perform some specific action, then I can simply assign that role to the user on the target resource.
Example of Key Vault resource permissions
Purging a deleted secret, key, or certificate
Once a Key Vault is soft-deleted, which is the default behavior, all the items in the Key Vault, such as secrets, keys, and certificates, are also enabled for soft-delete as well. Thus, we can also recover or purge these items unless purge protection is enabled on the Key Vault.
Soft delete is enabled automatically on all items in a Key Vault
If you try to purge a secret in a protected Key Vault, you'll get the error below. This also applies to keys and certificates.
Remove-AzKeyVaultSecret: Operation returned an invalid status code 'Forbidden'
Code: Forbidden
Message: The user, group or application 'appid=1950a258-227b-4e31-a9cf-717495945fc2;oid=7d00fe23-0864-4cb8-8877-c7572e51f6f9;numgroups=4;iss=https://sts.windows.net/849e8524-4433-4b03-aea4-b2dd81e72401/' does not have secrets purge permission on key vault 'testvault4000;location=westeurope'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287
image8
Purge protection prevents the items in Key Vaults from being purged
The following resource permissions are needed in advance to purge these items in Key Vaults:
Item
Permission
The built-in role to cover this permission
| Item | Permission | The built-in role to cover this permission |
| Certificates | Microsoft.KeyVault/vaults/certificates/purge/action
|
Key Vault Certificates Officer
Contributor Owner |
| Keys | Microsoft.KeyVault/vaults/keys/purge/action
|
Key Vault Crypto Officer
Contributor Owner |
| Secrets | Microsoft.KeyVault/vaults/secrets/purge/action | Key Vault Secrets Officer
Contributor Owner |
In addition to the above resource permissions, purge operations need to be enabled for each item in the Access Policies section of the Key Vault. Otherwise, the following error will occur when you try to purge secrets, keys, or certificates within a Key Vault:
Purge operation permission in Access Policies needs to be granted beforehand
The purge operation can be enabled on each item by selecting the Purge permission from the dropdown box, as shown below.
Purge is a privileged operation that needs to be explicitly enabled in the access policy of the Key Vault
Once both the resource permissions and access policies are configured, the purge operation can be performed.
The following commands can be used to purge the keys, secrets, and certificates on a Key Vault with no purge protection:
Remove-AzKeyVaultSecret -VaultName testvault2000 -Name secret1 -Force -InRemovedState Remove-AzKeyVaultKey -VaultName testvault2000 -Name key1 -Force -InRemovedState Remove-AzKeyVaultCertificate -VaultName testvault2000 -Name certificate1 -Force -InRemovedState
Conclusion
Key Vaults are heavily used resources in Azure. With recent changes, they are protected by default by the soft-delete feature. Although purge protection can also be enabled for additional data protection or compliance purposes, purging unnecessary Key Vault data might be needed in some cases. PowerShell can easily perform these operations on Key Vaults.
