I created a Key Vault using PowerShell and enabled it for Soft-Delete and Purge-Protection. I then created some Secrets and pushed them into the new Key Vault. The default Access Policy that gets created when the Key Vault is created gives my account all permissions on Keys, Secrets, and Certificates except for Purge. As expected, when I tried to delete the Secrets and then permanently remove them I got the Forbidden error. I then went and modified the Access Policy to give my account the Purge permission on Secrets thinking this would allow me to permanently delete the Secrets. However, even after giving my account Purge permissions I am still getting the Forbidden error when trying to permanently remove Secrets that are in InRemovedState.
If you just enable Soft-Delete, the Purge permission is enough. But if you also enable Purge-Protection, you need to wait for the retention days to delete the secret permanently, no matter what permissions you got.
Reference - Purge protection and Permitted purge.
Exceptions are:
When the --enable-purge-protection flag is enabled on the vault itself. In this case, Key Vault will wait for 90 days from when the original secret object was marked for deletion to permanently delete the object.
By default, the retention period is 90 days, if it is necessary, you could set it from 7 to 90 via powershell. (The doc says once it is set and saved it cannot be changed, actually it can, just use the powershell)
$r = Get-AzResource -ResourceGroupName <group-name> -ResourceType Microsoft.KeyVault/vaults -Name <keyvault-name>
$r.Properties.softDeleteRetentionInDays = "7"
$r | Set-AzResource -Force
Related
I'm trying to create a key vault in Azure using this CLI command...
az keyvault create --location $location --name $keyVaultName --resource-group $resourceGroupMainName --output none
But this returns the error...
(VaultAlreadyExists) The vault name '[value of $keyVaultName]' is
already in use. Vault names are globaly unique so it is possible that
the name is already taken. If you are sure that the vault name was not
taken then it is possible that a vault with the same name was recently
deleted but not purged after being placed in a recoverable state. If
the vault is in a recoverable state then the vault will need to be
purged before reusing the name. For more information on soft delete
and purging a vault follow this link
https://go.microsoft.com/fwlink/?linkid=2147740.
So I ran both of these...
az keyvault list
az keyvault list-deleted
And $keyVaultName does not appear in either list. I've asked a colleague to double-check those results but it really doesn't appear. I've also looked in the Manage deleted vaults blade in the portal and that matches the results from the CLI - it's not there.
I also tried to recover the key vault with that name...
(DeletedVaultNotFound) The specified deleted vault '[value of $keyVaultName]' does not exist.
...and to purge a key vault with that name...
No deleted Vault or HSM was found with name [value of $keyVaultName]
So why does Azure think that the name is already in use?
I found an easier way, which is via UI, you can check if the deleted key vault is in the key vaults management page.
I am able to select and purge or recover deleted key vault after clicking the 'manage deleted vaults' hyperlink.
As provided in the comment, Similar to Storage Accounts in Azure, the keyvault is also unique across globally. You can check the similar error code from the docs,
Your attempt to create a new key vault with the specified name has
failed since the name is already in use. If you recently deleted a key
vault with this name, it may still be in the soft deleted state
Vault names and Managed HSM pool names are selected by the user and
are globally unique.
You can verify the existence using Powershell or Rest API
When you create an azure keyvault a soft delete feature is by default enabled which helps the customers to recover their keys and secrets which were accidentally deleted within 90days (default) and for that time period you cannot create another keyvault with the same name as that.
Once soft delete is enabled for Azure Key Vault you cannot disable the soft-delete as it's implemented as a one-way operation and cannot be changed back once enabled. However, You can use the PowerShell cmdlet Remove-AzureRmKeyVault command with the option -InRemovedState and by specifying the location of the deleted key vault with the -Location argument to permanently delete or purge the Azure Key Vault. If you want to permanently delete a key or secret you need to use Remove-AzureKeyVaultKey and Remove-AzureKeyVaultSecret with -InRemovedState parameter. Please refer to How to use Key Vault soft-delete with PowerShell for details.
You can also achieve the same using the Azure CLI. Refer to How to use Key Vault soft-delete with CLI for details.
First, I checked the deleted keyvault and purge which one is creating problem.
az keyvault list-deleted
az keyvault purge --name my-key-vault-dev01
I'm using my personal Azure account and Visual Studio Azure subscription where I'm Global Admin. I get the following error when I try to purge a soft-deleted Azure Key Vault.
Using Azure Power Shell:
Remove-AzKeyVault: Operation 'DeletedVaultPurge' is not allowed.
Using Azure CLI:
ValidationError: (MethodNotAllowed) Operation 'DeletedVaultPurge' is not allowed.
It looks like there is a permission that I don't have, even though I'm Global Admin. So what do I need to do in order to purge soft-deleted Key Vaults?
Here are the steps in Azure Power Shell (4.7.0) that I can use to reproduce the error:
First I create a Key Vault:
New-AzKeyVault -Name $keyVaultName -ResourceGroupName $resourceGroupName -Location $location -EnablePurgeProtection
Then I delete it.
Remove-AzKeyVault -Name $keyVaultName -ResourceGroupName $resourceGroupName
Then try to purge the soft-deleted Key Vault:
Remove-AzKeyVault -Name $keyVaultName -Location $location -InRemovedState -Force
Remove-AzKeyVault: Operation 'DeletedVaultPurge' is not allowed.
The reason is that you have enabled the Purge protection when you create the keyvault.
Once the Purge protection is enabled, it's not allowed to delete it. Please refer to the doc for more details. I just pasted part of the doc as below:
When purge protection is turned on, a vault or an object in deleted state cannot be purged until the retention period has passed.
And please also note that, if the Purge protection is enabled, you cannot disable it. So during creating the key vault, please make sure the Purge protection is disabled, then try the command again.
When you create an azure keyvault with soft delete enabled that keyvault persists even if you delete it and re-create it from scratch.
When soft-delete is enabled, resources marked as deleted resources are retained for a specified period (90 days by default). The service further provides a mechanism for recovering the deleted object, essentially undoing the deletion.
You also get this error message when you try and delete the keyvault though the UI:
The soft delete feature has been enabled on this key vault. After you
soft delete this key vault, it will remain in your subscription as a
hidden vault. It will get purged after the retention period you
specified. You may purge it sooner, or restore the vault, using Azure
Portal, Azure PowerShell, or Azure CLI. See this page for reference:
https://learn.microsoft.com/azure/key-vault/key-vault-ovw-soft-delete
This is causing me issues in dev. I created a keyvault with soft delete enabled (by accident) and now I want to completely remove that keyvault and re-create it with different settings. Everytime I delete it and re-create it, it includes all the previous settings, keys, etc. I also can't create a keyvault, with the same name, with soft delete disabled. It complains that a keyvault with that name already exists (VaultAlreadyExists exception) and that the settings are not compatible.
The keyvault docs on MSDN(the link from the above message in Azure) mention how to permanently purge a soft delete but it's slightly euphemistic sentence isn't that helpful to me:
Permanently deleting, purging, a key vault is possible via a POST
operation on the proxy resource and requires special privileges.
So how do I get rid of this thing?
First thing to note, as I've subsequently found out, is that soft delete will be enabled by default by any time now. So the disabling of soft delete is now effectively deprecated. But I still wanted to completely delete my keyvault.
After doing a bit of digging in the azure cli I stumbled across this command:
az keyvault purge --name
[--location]
[--no-wait]
[--subscription]
So providing you are logged in with a user that has enough privilages to run this you can permanatly delete the entire key vault using the command:
az keyvault purge --name keyvaultname
This permanently and irrevocably removes the keyvault, all it's keys and settings. There doesn't seem to be a way in the Azure UI to do this without using the CLI or some other tool. It seems this is supported in the UI as well now, see here:
Log in to the Azure portal.
Click on the search bar at the top of the page.
Under "Recent Services" click "Key Vault". Do not click an
individual key vault.
At the top of the screen click the option to "Manage deleted vaults"
A context pane will open on the right side of your screen.
Select your subscription.
If your key vault has been soft deleted it will appear in the
context pane on the right.
If there are too many vaults, you can either click "Load More" at
the bottom of the context pane or use CLI or PowerShell to get the
results.
Once you find the vault you wish to recover or purge, select the
checkbox next to it.
Select the recover option at the bottom of the context pane if you
would like to recover the key vault.
Select the purge option if you would like to permanently delete the
key vault.
You can also use Az PS.
As per previous answer, this is assuming you have sufficient permissions to the subscription:
Remove-AzKeyVault -VaultName kvname -InRemovedState -Force -Location "Location"
Please see this for reference:
https://learn.microsoft.com/en-us/powershell/module/az.keyvault/remove-azkeyvault?view=azps-5.7.0
Also, I used this reference to get the proper order of the parameters as I wasn't familiar with switch parameters and where they go.
https://github.com/Azure/azure-powershell/issues/14012
While deleting a resource group am getting the below mentioned error.
Failed to delete resource group backupone: Deletion of resource group
'backupone' failed as resources with identifiers
'Microsoft.RecoveryServices/vaults/backupone' could not be deleted.
The provisioning state of the resource group will be rolled back. The
tracking Id is 'ee14d432-edf4-48e3-ba7f-016757125909'. Please check
audit logs for more details. (Code: ResourceGroupDeletionBlocked)
Vault cannot be deleted as there are existing resources within the
vault. Please ensure there are no backup items, protected servers or
backup management servers associated with this vault. Unregister the
following containers associated with this vault before proceeding for
deletion : backuponestg Unregister all containers from the vault and
then retry to delete vault (Code:
ServiceResourceNotEmptyWithContainerDetails)
Can someone please help me understand what is wrong?
As I commented above, the error message
Vault cannot be deleted as there are existing resources within the vault
hints to me there might be a Azure Site Recovery Vault in the resource group.
Here's some more information.
If you got a Azure Site Recovery Vault inside of a resource group, and it contains some data from backed up virtual machines, then this can block the deletion of the vault.
You need to, manually, first to clean up the vault before you can delete the ASR vault. This is a mechanism set in place to prevent accidental deletion of backed up data.
Check out this link for a more detailed guide on what steps you need to take to unassociate workloads with your vault.
We use Azure Backup and set our backup vaults to use GRS. We want to use LRS instead. It is understood that this cannot be changed once machines have been added to the vault, and we need to start from scratch. Two questions:
Do I need to remove the current vault first before I set up a new vault for that same server?
Can the current backups be transferred to the new vault?
Changing a Recovery Service Vault's storage replication type can be achieved via the Portal or PowerShell. Unfortunately, this option is greyed-out in the Portal, and whilst the cmdlet successfully executes, it doesn't change the underlying value: if there is one or more Protected Instances already contained in the vault.
Because of this, and because the default value is GeoRedundant, this must be set before any items have been protected.
To set the storage to Locally Redundant via the Portal:
Create/Open the Recovery Services Vault
Scroll-down and select Backup Infrastructure
Select Backup Configuration
Set Storage replication type to Locally-redundant
To achieve the same via PowerShell:
$RG = 'testResourceGroup'
$VaultName = 'testVault'
$Location = 'Central US'
$vault = Get-AzureRmRecoveryServicesVault -ResourceGroupName $RG -Name $VaultName
If (-not $vault) {
$vault = New-AzureRmRecoveryServicesVault -ResourceGroupName $RG -Location $Location -Name $VaultName
}
Set-AzureRmRecoveryServicesBackupProperties -Vault $vault -BackupStorageRedundancy LocallyRedundant
With regards removing existing vaults and transferring existing backup points:
The existing vault does not need to be deleted, however any protected items will need to be removed from the vault before they can be added to a new vault. It is not sufficient to simply stop backup on the protected item - all the restore points must also be deleted before the item can be added to the new vault
I cannot find any documentation, facility in the Portal or PowerShell which would allow the migration of existing protected items and/or restore points
The only way I've been able to change from Geo-Redundant Storage (GRS) to Locally Redundant Storage (LRS) is to create a new empty vault in the old portal (https://manage.windowsazure.com).
In the old portal you can change storage type in "Configuration".
I expect you will also be able to do it with PowerShell, but haven't tried it though.
You can register your server with 1 vault. In order to register your server with the new vault, you need to use the new vault credentials downloaded from manage.windowsazure.com
You can have multiple vaults. If you do not use your current vault in the future, it will stay there. You have to pay for each vault. So, if you don't need it in the future, it may be better to remove it completely.
There is a comprehensive documentation here:
https://azure.microsoft.com/en-us/documentation/services/backup/