Azure Key Vault - A Conflict Occurred that Prevented the Operation from Completing

Azure, key vault

Recently I experienced an odd error with Azure Key Vault, which confused me for a while, so I’m posting it here in case others hit the same problem.

The issue occurred in my case when trying to add a secret using Infrastructure as Code, but I suspect it would occur when manually adding a secret via portal or CLI as well. When attempting to add the new secret, I got the error below:

error: autorest/azure: Service returned an error. Status=<nil> Code="ConflictError" Message="A conflict occurred that prevented the operation from completing. The operation failed because the Key Vault '<key vault name>' changed from the point the operation began. This can happen if parallel operations are being performed on the Key Vault. To prevent this error, serialize the operations so that only one operation is performed on the Key Vault at a time. Follow this link for more information: [https://go.microsoft.com/fwlink/?linkid=2147741"](https://go.microsoft.com/fwlink/?linkid=2147741")

The error seems to indicate that something or someone, else is writing to the same Key Vault at the same time. So, I spent some time trying to find out if someone else, or an automated process was updating the same Key Vault at the same time, but I couldn’t find anything. Trying again later result in the same error, which made me think it is unlikely a concurrency error.

After some further digging, I stumbled on the cause of the problem and it has nothing to do with concurrent editing. This issue occurs when you are trying to create a secret with the same name as a secret that has been previously deleted. In the old days, this wouldn’t have been an issue, but now all Key Vaults have soft-delete turned on by default. Because of this, if you delete a secret it isn’t fully deleted and goes into a soft deleted state. If you try and create a new secret with the same name, you get this error. You can resolve the issue by purging the soft-deleted secret (or restoring it).

Purge Secret

To purge the secret, go to the secrets tab in Key Vault and click the “Manage Deleted Secrets” button.

https://res.cloudinary.com/samcogan/image/upload/v1662153249/2022-09-02_22-10-41_bzbq8g.png

In the page that opens you should see the secret, you are interested in. Tick the box next to it, then click the purge button.

https://res.cloudinary.com/samcogan/image/upload/v1662153249/2022-09-02_22-11-56_ienktc.png

If the purge button is greyed out, it is likely because you do not have the purge permission on secrets, as this is not assigned by default. To fix this, go to the permissions on Key Vault and add this permission (if using Key Vault permissions rather than RBAC).

https://res.cloudinary.com/samcogan/image/upload/v1662153249/2022-09-02_22-13-23_ugaxpi.png