Azure Key Vault - The name is already in use

While attempting to create (or recreate) a Key Vault, have you ever seen the error message "The name '<key vault name>' is already in use?

It can be frustrating as you may be trying to use a name which you know isn't being used anywhere else, or which you used recently on a key vault, deleted, and now want to recreate. 

This commonly occurs for these reasons:

  1. The Key Vault that you just deleted has "Soft Delete" enabled on it. This means that the Key Vault still exists, but is not accessible.  It will remain this way for 90 days, at which point you can recover the key vault name.  This setting is in case the key vault is actually needed again.  You can check for this condition using the Powershell Get-AzureRmKeyVault cmdlet to find soft-deleted vaults:
    Get-AzureRMKeyVault -InRemovedState
    After this, you may choose to either revive the key vault using cmdlet "Undo-AzureRmKeyVaultRemoval":
    Undo-AzureRmKeyVaultRemoval -VaultName <vaultname> -ResourceGroupName <groupname> -Location <location>
    Or you can "purge" the key vault in order to ensure it's really gone:
    Remove-AzureRmKeyVault -VaultName <vaultname> -Location <location> -InRemovedState

  2. NOTE:  The Key Vault Product team has changed the validation scheme for domain names.  If your domain name is not available, but you know that it is because you recently deleted it, it may have gotten into the "orphaned DNS" scenario below.  However, the validation has changed to allow the DNS resolution to check if the Key Vault exists.  If it does not exist, the name should become available after 10 minutes.  If it still does not work, then your problem is likely that it's either being used by another Key Vault or it's soft-deleted.

    The Another reason for this condition is an "orphaned" DNS value caused by deleting/recreating the key vault too fast.   You can confirm this problem by trying to access the vault in the browser: https://<vaultname>  You should get an HTTP 403, indicating that the key vault still exists in the DNS, but isn't available in actuality:

    This is a known condition which the Azure Key Vault is working on.  The fix for this right now is to email the product team directly: AzureKeyVault _@_, or open a support case and we will help you with this problem.

  3. It's possible that the name you've chosen for your Key Vault is already taken.  If the name you've chosen is more like "TestKeyVault" or "AzCloudKv" than "WE-NameOfMyCompany-RG-Eagle-18h6", and you have never had this name on a Key Vault previously, then it's probably used by someone else.  The test above of navigating to the Key Vault to get an HTTP 403 will still hold true, but it will mean you don't have access to that Key Vault rather than it is an orphaned DNS record.

I hope this helps you out when using the Azure Key Vault!  Please follow us on Twitter and retweet!
@WinDevMatt @AzIdentity

Add comment