Skip to content

Unable to create KeyVault with purge protection disabled #29115

Description

@fxierh

Describe the bug

First, --enable-purge-protection cannot be set to false:

$ az keyvault create -n ... -g ... -l eastus --enable-purge-protection false
(BadRequest) The property "enablePurgeProtection" cannot be set to false. Enabling the purge protection for a vault is an irreversible action.
Code: BadRequest
Message: The property "enablePurgeProtection" cannot be set to false. Enabling the purge protection for a vault is an irreversible action.

Second, unsetting --enable-purge-protection appears to be the same as setting it to true:

$ az keyvault create -n ... -g ... -l eastus --enable-rbac-authorization false 
{
...
    "enablePurgeProtection": null,
...
}
$ az keyvault set-policy -n ... --key-permissions create decrypt encrypt get --spn ...
...
$ az keyvault key create --vault-name ... --name ... --protection software
...
$ az keyvault delete -n ...
...
# Try re-create KV of the same name after a couple of minutes
$ az keyvault create -n ... -g ... -l eastus --enable-rbac-authorization false 
(ConflictError) A vault with the same name already exists in deleted state. You need to either recover or purge existing key vault. Follow this link https://go.microsoft.com/fwlink/?linkid=2149745 for more information on soft delete.
Code: ConflictError
Message: A vault with the same name already exists in deleted state. You need to either recover or purge existing key vault. Follow this link https://go.microsoft.com/fwlink/?linkid=2149745 for more information on soft delete.

Related command

az keyvault create

Errors

See above.

Issue script & Debug output

See above.

Expected behavior

Should be able to disable purge protection.

Environment Summary

$ az --version
azure-cli                         2.61.0

core                              2.61.0
telemetry                          1.1.0

Additional context

No response

Metadata

Metadata

Assignees

Labels

Auto-AssignAuto assign by botAzure CLI TeamThe command of the issue is owned by Azure CLI teamKeyVaultaz keyvaultact-identity-squadcustomer-reportedIssues that are reported by GitHub users external to the Azure organization.potential-pruningquestionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Relationships

None yet

Development

No branches or pull requests

Issue actions