Cannot purge or recover deleted key vault

Chad Burggraf 6 Reputation points
2021-08-10T16:11:29.7+00:00

I have a set of key vaults that are automatically created and destroyed as part of our infrastructure automation. Starting on August 8, 2021, one of these vaults is failing to purge after being deleted. All of the other vaults delete and purge just fine, and they are all identical except for naming and resource group membership.

Purge protection is not enabled for any of the vaults.

When purging via PowerShell (using Remove-AzKeyVault -InRemovedState -Force), the command hangs indefinitely. Our CI times out after 6 hours.

When purging via the portal UI, a success message is generated but the vault is never actually purged.

Attempting to recover the vault through the UI generates a conflict exception.

Any help resolving this issue is very much appreciated!

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,173 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. DNH-5689 6 Reputation points
    2021-10-21T14:32:10.89+00:00

    So we reported this issue to Microsoft who had to ask their engineering team to reset our vaults to deleted state which then allowed us to purge them finally.

    They also said the following: "Delete and Purge operations don’t happen immediately; they usually take somewhere between 1-5m to complete, with a 2.5m rough average. Very occasionally, if you don't respect that and proceed to create > delete > purge in very quick succession, the key vault may get into a faulty state where our SLM jobs are not able to process the request immediately and the request becomes “stuck” and stays that way until released by engineering. That being said, this does happen very sporadically. To ensure that this doesn’t happen, an ideal workflow would be similar to the following: create KV > delete KV > wait 2.5m > purge KV."

    1 person found this answer helpful.