10

I'm trying to create a key vault in Azure using this CLI command...

az keyvault create --location $location --name $keyVaultName --resource-group $resourceGroupMainName --output none

But this returns the error...

(VaultAlreadyExists) The vault name '[value of $keyVaultName]' is already in use. Vault names are globaly unique so it is possible that the name is already taken. If you are sure that the vault name was not taken then it is possible that a vault with the same name was recently deleted but not purged after being placed in a recoverable state. If the vault is in a recoverable state then the vault will need to be purged before reusing the name. For more information on soft delete and purging a vault follow this link https://go.microsoft.com/fwlink/?linkid=2147740.

So I ran both of these...

az keyvault list
az keyvault list-deleted

And $keyVaultName does not appear in either list. I've asked a colleague to double-check those results but it really doesn't appear. I've also looked in the Manage deleted vaults blade in the portal and that matches the results from the CLI - it's not there.

I also tried to recover the key vault with that name...

(DeletedVaultNotFound) The specified deleted vault '[value of $keyVaultName]' does not exist.

...and to purge a key vault with that name...

No deleted Vault or HSM was found with name [value of $keyVaultName]

So why does Azure think that the name is already in use?

awj
  • 7,482
  • 10
  • 66
  • 120
  • It is universally unique across Clouds tenants – Sajeetharan Jun 15 '21 at 15:47
  • 1
    What that means is that name of the key vault should be globally unique. If I created a key vault by the name “mykeyvault” in my subscription, you can’t create a key vault with the same name in your subscription. – Gaurav Mantri Jun 15 '21 at 15:51

5 Answers5

11

I found an easier way, which is via UI, you can check if the deleted key vault is in the key vaults management page. I am able to select and purge or recover deleted key vault after clicking the 'manage deleted vaults' hyperlink. deleted key vault in azure

user14181068
  • 269
  • 3
  • 7
4

As provided in the comment, Similar to Storage Accounts in Azure, the keyvault is also unique across globally. You can check the similar error code from the docs,

Your attempt to create a new key vault with the specified name has failed since the name is already in use. If you recently deleted a key vault with this name, it may still be in the soft deleted state

Vault names and Managed HSM pool names are selected by the user and are globally unique.

You can verify the existence using Powershell or Rest API

Sajeetharan
  • 216,225
  • 63
  • 350
  • 396
2

When you create an azure keyvault a soft delete feature is by default enabled which helps the customers to recover their keys and secrets which were accidentally deleted within 90days (default) and for that time period you cannot create another keyvault with the same name as that.

Once soft delete is enabled for Azure Key Vault you cannot disable the soft-delete as it's implemented as a one-way operation and cannot be changed back once enabled. However, You can use the PowerShell cmdlet Remove-AzureRmKeyVault command with the option -InRemovedState and by specifying the location of the deleted key vault with the -Location argument to permanently delete or purge the Azure Key Vault. If you want to permanently delete a key or secret you need to use Remove-AzureKeyVaultKey and Remove-AzureKeyVaultSecret with -InRemovedState parameter. Please refer to How to use Key Vault soft-delete with PowerShell for details.

You can also achieve the same using the Azure CLI. Refer to How to use Key Vault soft-delete with CLI for details.

UserP
  • 194
  • 13
Ansuman Bal
  • 9,705
  • 2
  • 10
  • 27
  • Thanks @AnsumanBal-MT, but as I mentioned in the opening post, I've looked at the list of deleted key vaults and the name in question is not listed. Therefore the key vault has not been previously deleted. – awj Jun 16 '21 at 07:21
  • Ok.. understood ..@awj then i would suggest you to create a keyvault with globally unique name which has not been used by anyone in any subscription. i would suggest using portal as it won't allow a name to be selected while creating the keyvault which is not globally unique. – Ansuman Bal Jun 16 '21 at 08:38
  • THANK YOU!!! finally solved my issue. – eladyanai Feb 02 '22 at 12:23
0

First, I checked the deleted keyvault and purge which one is creating problem.

az keyvault list-deleted

az keyvault purge --name my-key-vault-dev01

Jagdish Wagh
  • 11
  • 2
  • According to other answers the key vault name must be globally unique. Given the person asking for advice tried similar commands, I cannot see how your answer would help solving the problem. Please expand on this if you're convinced, that your answer solves the issue. – Igor Jan 30 '23 at 00:25
0

You just need to make the name less generic and more specific to your project.

Globally unique name means globally across all of Azure keyvault users.

I recommend typing names in the creation UI in Azure portal before using the CLI/Terraform since it will tell you instantly if the name is taken or if it's not available.

Sellami Habib
  • 1
  • 1