This topic is quite rare because no one wants to delete their application or resource’s connection string secret from the key vault especially in PROD where the number of dependencies are quite high. But by mistake it can be mishandled.
Always make sure that the below processes are followed as best practice:
- We should grant very low-level permission to the user for accessing the secrets.
- Delete secret/key vault permission should be given to limited number of users.
- The Soft Delete should always be enabled on the Azure Key vault while creation.
- PURGE protection should be enabled.
The main key to recover any deleted Key vault or the secret in the key vault is the retention period of the soft delete. If you do not have soft delete enabled on the resource, then it cannot be recovered.
Steps to recover the Secret (we have soft delete enabled in our case).
I have created a Key vault.
By default, the soft delete is enabled on the Key vault with the retention period of 90 days. You can configure as per your environment.
The option Purge protection is by default Disabled, you need to manually enable it so that the secret cannot be deleted permanently in the retention period.
Created a secret in the key-vault.
Now I have deleted the secret and once the secret is deleted, the deleted secrets can be found by clicking on the Manage deleted secretes.
You can click on the secret you want to recover and click on the recover option. It takes few secs to flash the deleted secret again in the Key-Vault.
You can see the option to recover and the disabled option to PURGE. By default, the PURGE permission is not given to any user, it is the least privilege. If you want to have PURGE permission, then you need to manually navigate to the Access Policies and select the user to which you want to assign. You can just check the PURGE option and save to take the action to affect.
As shown in the above screenshot, you can just click on the recover option and you can see the secret again in the Enabled state in your Key vault.
Restore the deleted Key vault
The deleted key vault can be restored by following the same step. Once the Key vault is recovered then the secret inside the key vault can be seen as well.
Here I have deleted the Key Vault.
By clicking on the Manage deleted vaults you can see the deleted key vaults in your selected subscription and you can select and restore similar to what we have done to restore the secret.
