Gregory Suvalian
Reputation: 3830
How do I reference secret from keyvault as default value in parameter section of ARM template
I'm trying to set default value for secure string in parameters section of ARM template as below but receiving error about inability to use reference function in parameters section. Is it possible to specify default value of secure string to point to existing keyvault secret?
"adminPassword": {
"type": "secureString",
"defaultValue": [reference(resourceid(subscription().subscriptionId, resourceGroup().name, 'Microsoft.KeyVault/vaults/secrets', concat(parameters('organisationName'),'-', take(uniqueString(resourceGroup().id),10), '-kv'), 'adminPassword')).secretUri]
}
},
Upvotes: 0
Views: 2629
Answers (1)
Nancy Xiong
Reputation: 28204
You could reference the secret by passing the resource identifier of the key vault and the name of the secret:
For example
"adminPassword": {
"reference": {
"keyVault": {
"id": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.KeyVault/vaults/<vault-name>"
},
"secretName": "ExamplePassword"
}
},
You can't dynamically generate the resource ID in the parameters file because template expressions aren't allowed in the parameters file.
However, you can dynamically generate the resource ID for a key vault secret by using a linked template. Read more details about reference secrets with dynamic ID
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "The location where the resources will be deployed."
}
},
"vaultName": {
"type": "string",
"metadata": {
"description": "The name of the keyvault that contains the secret."
}
},
"secretName": {
"type": "string",
"metadata": {
"description": "The name of the secret."
}
},
"vaultResourceGroupName": {
"type": "string",
"metadata": {
"description": "The name of the resource group that contains the keyvault."
}
},
"vaultSubscription": {
"type": "string",
"defaultValue": "[subscription().subscriptionId]",
"metadata": {
"description": "The name of the subscription that contains the keyvault."
}
}
},
"resources": [
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2018-05-01",
"name": "dynamicSecret",
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "inner"
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"adminLogin": {
"type": "string"
},
"adminPassword": {
"type": "securestring"
},
"location": {
"type": "string"
}
},
"variables": {
"sqlServerName": "[concat('sql-', uniqueString(resourceGroup().id, 'sql'))]"
},
"resources": [
{
"type": "Microsoft.Sql/servers",
"apiVersion": "2018-06-01-preview",
"name": "[variables('sqlServerName')]",
"location": "[parameters('location')]",
"properties": {
"administratorLogin": "[parameters('adminLogin')]",
"administratorLoginPassword": "[parameters('adminPassword')]"
}
}
],
"outputs": {
"sqlFQDN": {
"type": "string",
"value": "[reference(variables('sqlServerName')).fullyQualifiedDomainName]"
}
}
},
"parameters": {
"location": {
"value": "[parameters('location')]"
},
"adminLogin": {
"value": "ghuser"
},
"adminPassword": {
"reference": {
"keyVault": {
"id": "[resourceId(parameters('vaultSubscription'), parameters('vaultResourceGroupName'), 'Microsoft.KeyVault/vaults', parameters('vaultName'))]"
},
"secretName": "[parameters('secretName')]"
}
}
}
}
}
],
"outputs": {
}
}
Upvotes: 1
Related Questions
- Put Azure Key Vault value in parameter array
- How to set types of parameters in Azure ARM templates when using KeyVault references?
- Azure ARM Template - Create KeyVault Secrets in Keyvault in different Resource Group
- How do I pass secret value from keyvault using Azure ARM Template
- access secret in keyvault from customData (cloud-init) section in ARM template
- How to dynamically create Azure KeyVault reference in ARM template?
- Creating a KeyVault secret in an existing keyvault
- Using secret from Azure KeyVault in Azure ARM Template
- How to output secret uri in ARM template?
- Key vault references in ARM parameter array