Force delete Vault secret sync destination and its associations

Avatar
Owen Zhang
  • Updated

Vault Secrets Sync maintains a strict link (an "association") between a Vault KV secret and its destination in a cloud provider (AWS, Azure, GCP, etc.). Because Vault tries to prevent "orphaned" secrets, it will often block a standard vault delete destination command if it cannot successfully delete Vault association or reach the cloud provider to delete the external secret first. So Vault admin or operator might get stuck when delete Vault association cannot be finished. To break this cycle, you could use the Force Delete method.

 

To force the removal of a "stuck" sync destination, run the following command in your terminal:

vault delete sys/sync/destinations/<type>/<name> purge=true force_delete=true

For example:

$ vault delete sys/sync/destinations/azure-kv/my-azure-1 purge=true force_delete=true
Success! Data deleted (if it existed) at: sys/sync/destinations/azure-kv/my-azure-1

 

To successfully remove a destination that has active secret links (associations), you can combine these two parameters:

  • purge=true Tells Vault to asynchronously unsync all secrets (delete them from the cloud provider) and remove the internal "associations" before the destination itself is deleted. Use this for a clean cleanup when credentials are still valid.

  • force_delete=true Tells Vault to delete the destination even if the unsync process fails. This is your "last-resort" mechanism. It overrides the block caused by broken connections or unauthorized requests, allowing Vault to drop the configuration regardless of what happens on the cloud side. This parameter is optional.

 

If the above delete command failed with internal error or authentication failed, please verify Vault destination's client_secret and client_id are still valid on the cloud provider.. 

If delete attempt run into below error, please enable destination disable_strict_networking or configured allowed_ipv4_addresses:


* couldn't create store node in syncer: failed to create store: unable to initialize store of type "azure-kv": 
unauthorized request: failed to validate the client credentials with a no-op unsync operation: 
Delete "https://xxx.vault.azure.net/secrets/xxx?api-version=7.5": dial tcp 10.x.x.x:443: prohibited IP address: 
10.x.x.x is not a permitted destination (denied by: 10.0.0.0/8)

 

Articles in this section

See more