Unable to purge key in keyvault and thereafter unable to purge keyvault either

Ankur Soni @4dx 26 Reputation points
2020-06-20T03:04:44.84+00:00

I am the Global admin on the AD tenant and the key vault access policy has all permissions to my user including purge.

This command worked:

Remove-AzKeyVaultKey -Name <key_name> -VaultName <kv_name>

Then this fails:

Remove-AzKeyVaultKey -Name <key_name> -VaultName <kv_name> -InRemovedState

with error:

Remove-AzKeyVaultKey: Operation returned an invalid status code 'Forbidden'

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,187 questions
{count} vote

Accepted answer
  1. JamesTran-MSFT 36,541 Reputation points Microsoft Employee
    2020-07-09T20:09:31.94+00:00

    @AnkurSoni-4dx
    Thank you for following up on this. Please see below for words from our product team.

    "Purge protection once enabled cannot be disabled. This is by design. There is no plan to offer a way to disable purge protection once enabled. We are considering some other options in future for customers to be able to use SSE without turning on purge protection."

    Since this issue is by design, I have updated our CLI/PS docs for enabling purge protection to reflect that "disabling purge protection isn't supported". Corresponding GitHub issues follow.

    Enable Purge Protection PS:
    #58744

    Enabling Purge Protection CLI:
    #58742

    Please allow some time for the changes to reflect and if you don't see the document update, please let me know.

    1 person found this answer helpful.

4 additional answers

Sort by: Most helpful
  1. JamesTran-MSFT 36,541 Reputation points Microsoft Employee
    2020-06-22T21:57:28.05+00:00

    @AnkurSoni-4dx
    Thank you for the post! I was able to replicate your issue and will post my findings below.

    Findings:
    I created a brand new Key Vault with "Soft Delete" enabled and ran the same commands you posted and didn't run into any problems.
    10486-purgekeysuccess-kv1.jpg

    Reading through the Azure Key Vault - Purge protection documentation I found:

    • "Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled... When purge protection is on, a vault or an object in the deleted state cannot be purged until the retention period has passed..."

    I turned on "Purge Protection" and was able to reproduce your issue.
    10522-purgeprotecton-kv1.jpg

    Next Steps:
    1- As of right now, there isn't any way of "disabling" purge protection. Therefor, you'll have to wait the designated amount of time before your Key Vault/Key are purged.

    • However, you should be able to delete your Key Vault and Key(s), if you don't want to incur additional charges per the Key Vault Pricing doc.

    2- There's currently a feature request for "disabling purge protection", if you'd like to vote for it to be implemented.

    Please let me know if you have any other questions.
    Thank you for your time and patience.


    Please let us know if any reply/answer helped resolve your question. If so, please remember to "mark as answer" so that others in the community facing similar issues can easily find a solution.

    2 people found this answer helpful.

  2. JamesTran-MSFT 36,541 Reputation points Microsoft Employee
    2020-06-26T16:20:49.667+00:00

    @Ankur Soni @4dx
    I believe there's a misunderstanding when it comes to the purging of a key vault and the information that is publicly available.

    Per your request:

    1. Purging key vault requires first the purging of all keys, secrets and certificates including the ones that may have been soft-deleted.
      -I created a test Key Vault and purged it without having to delete/purge any Keys, Secrets, or Certificates. Therefore, there isn't a requirement to first purge all keys, secrets, certificates, etc.
      10832-purgevaulttest1-purgeprotectiondisabled.jpg
      10822-purgingvaulttest1.jpg
    2. "Disable purge protection" is not available and until then no purging can actually happen on the key vault.
      -When it comes to disabling purge protection, it has been documented in our public documents. Please see here.
      10710-purgeprotectdoc.jpg

    -When Purge Protection is enabled you can see that the "Disable/Enable" option is greyed out, compared to my first screenshot when this option was Disabled.
    10815-purgevaulttest2-purgeprotectionenabled.jpg

    -You can also see that "Purge Protection" is an optional feature and had to be enabled by the actual user.
    10841-purgeprotectdoc2.jpg

    When it comes to your specific situation, you have Purge Protection enabled, which even with the proper permissions granted for your user, you can't purge specific Key Vault items, since that action is "Forbidden" due to purge protection.

    1 person found this answer helpful.

  3. Ankur Soni @4dx 26 Reputation points
    2020-06-25T23:56:16.753+00:00

    Thanks JamesTran, looking forward to see this updated in learn.microsoft.com where this information truly belongs.

    0 comments No comments

  4. Ankur Soni @4dx 26 Reputation points
    2020-06-26T23:06:37.833+00:00

    Thanks JamesTran for busting the myth on "Purging key vault requires first the purging of all keys, secrets and certificates including the ones that may have been soft-deleted." Again, neither Azure support nor official docs have it written as a one-liner to clear this out.

    You do realise the Azure users may have enabled the purge protection not by their own choice but were forced to do so for scenarios like "customer manged keys": https://learn.microsoft.com/en-us/azure/storage/common/storage-encryption-keys-portal

    Another concern I have is that there is no means to reduce the purge period using Terraform scripts at the moment and is only controllable via the Azure portal at creation time.

    To conclude, you may have a good technical explanation for all of the nitty-gritty. But overall makes the product not so developer friendly and have not addressed the repercussions from the choices that they were forced to make to achieve an unrelated use cause like customer managed key based storage service encryption.

    Given this light, I do not feel that "disable purge feature" should be a user voted feature and instead be taken as a gap in Azure Keyvault functionality and be prioritised as a backlog.