Azure Key Vault is a cloud service that helps store and securely access secrets. The secret could be anything we want to secure, like API keys, credentials, etc. It provides data encryption when it’s moving from a key vault to a client application, making it more secure. Have you accidentally deleted Key Vault from the resource group? In this article, we will see how to recover deleted key vault in Azure using the Azure Az PowerShell cmdlet.
Pre-requisites
1. Azure subscription with access to deploy Azure resources.
2. Az PowerShell module installed on the local machine.
3. Azure Key Vault soft-delete should be enabled on the vaults to be recovered.
What is a key vault soft delete?
Key vault’s soft delete feature enables the recovery of deleted vaults and deleted key vault objects (like keys, secrets, and certificates), Microsoft Azure retains soft-deleted key vault for a specified period (90 days by default). The service further provides a mechanism to recover the deleted object. Read more about it here.
How to restore a deleted key vault?
Follow the below three steps to recover the deleted Key Vault in Azure using the Az PowerShell module.
1. Connect to the Azure account
Execute the below command in PowerShell to connect to a specific Azure Tenant.
Connect-AzAccount
2. Check what key vaults are eligible for recovery
Let us now check what Azure Key Vaults are eligible for recovery from the deleted state. The below command will list down all the soft deleted key vaults in the last 90 days. Specify VaultName parameter to check a specific key vault for recovery or specify Location parameter to check all eligible vaults from a particular location within the logged-in Tenant.
Get-AzKeyVault -InRemovedState
3. Undo key vault deletion
Run the below command to recover a specific soft deleted key vault from a particular location and resource group.
Undo-AzKeyVaultRemoval -VaultName VaultName -ResourceGroupName ResourceGroupName -Location Location
We have just seen how to recover a deleted key vault in Azure.
How to recover deleted key vault objects?
Follow below quick steps to recover soft deleted key vault keys, secrets, or certificates.
- Log in to the Azure portal.
- Navigate to the key vault containing soft-deleted secrets, keys, or certificates.
- Select the blade corresponding to the secret type you want to manage (keys, secrets, or certificates).
- At the top of the screen, click on “Manage deleted (keys, secrets, or certificates).
- A context pane will appear on the right side of your screen.
- Select the secret, key, or certificate you want to recover and select the recovery option.
How to enable secrets in key vault
In case the secret in the key vault is disabled and you want to enable it. Right click on the secret and click Enable.
Pro tips:
1. If you also have deleted the resource group along with the Key Vault, you would need to create the resource group with the same name before recovering the Key Vault.
2. Soft-Delete feature in Azure Key-Vault would be compulsory by February 2025.
We have seen steps we can follow for azure key vault recovery.
See more
Kunal Rathi
With over a decade of experience in data engineering and analytics, I've assisted countless clients in gaining valuable insights from their data. As a dedicated supporter of Data, Cloud and DevOps, I'm excited to connect with individuals who share my passion for this field. If my work resonates with you, we can talk and collaborate.
I am always interested in new challenges so if you need consulting help, reach me at kunalrathi55@gmail.com.