Using secret from Azure KeyVault in Azure ARM Template

Question

I have a template of container instance with container in azurecr.io Is it possible to use an Azure Key Vault secret in an ARM Template? The following examples do not work:

            "imageRegistryCredentials": [
                {
                    "server": "***.azurecr.io",
                    "username": "***",
                    "password": {   
                        "reference": {                      
                            "keyVault": {
                                "id": "[resourceId(parameters('vaultSubscription'), parameters('vaultResourceGroupName'), 'Microsoft.KeyVault/vaults', parameters('vaultName'))]"
                            },
                            "secretName": "[parameters('secretName')]"  
                        }                       
                    }
                }
            ],

I have tried it with:

"resources": [        
        {
            ...
            "properties": {
                "parameters":{
                    "secretPassword": { 
                        "type": "securestring",
                        "reference": {                      
                            "keyVault": {
                                "id": "[resourceId(parameters('vaultSubscription'), parameters('vaultResourceGroupName'), 'Microsoft.KeyVault/vaults', parameters('vaultName'))]"
                            },
                            "secretName": "[parameters('secretName')]"  
                        }                       
                    }                   
                },

And:

        "imageRegistryCredentials": [
            {
                "server": "**.azurecr.io",
                "username": "**",
                "password": "[parameters('secretPassword')]"
            }
        ],

Result:

  "error": {
    "code": "InvalidTemplate",
    "message": "Unable to process template language expressions for resource '/subscriptions/**/resourceGroups/**/providers/Microsoft.ContainerInstance/containerGroups/**' at line '28' and co
lumn '9'. 'The template parameter 'secretPassword' is not found. Please see https://aka.ms/arm-template/#parameters for
 usage details.'"
  }
}'

Answer 1

So, I've created a workaround, which enables you to relatively simply use any keyvault secret in your template by using a publicly available template on github. See https://github.com/bobvandevijver/azure-arm-keyvault-secret-output for the example.

It would obviously be better if Microsoft just fixed this implementation, but it's something!

Answer 2

You can only use key vault reference in the parameters of the template (or nested template).

so you either need to move this part to the parameters section or move it to the nested template and use this as a parameter to the nested template. here is the sample to pass values from the kv to the nested template:

{
    "apiVersion": "2017-05-10",
    "name": "[concat('kvReference-', copyIndex())]",
    "type": "Microsoft.Resources/deployments",
    "copy": {
        "name": "kvReference",
        "count": 2
    },
    "properties": {
        "mode": "Incremental",
        "templateLink": {
            "uri": "nested_template_uri"
        },
        "parameters": {
            "cer": {
                "reference": {
                    "keyVault": {
                        "id": "keyvaultId"
                    },
                    "secretName": "secretname"
                }
            }
        }
    }
},

and you can just use those inputs as parameters inside nested template