Reputation: 25
How to pass secrets retrieved from Key Vault to ARM template deployment during a pipeline run?
Within a pipeline run, we are attempting to use the retrieved key vault secret in an ARM template deployment. The secret value is a SAS URL.
We first retrieved all secrets using the AzureKeyVault@2 task
- task: AzureKeyVault@2
displayName: 'Retrieve all secrets necessary for install'
inputs:
azureSubscription: 'SUBSCRIPTION'
KeyVaultName: 'KEYVAULT'
SecretsFilter: 'SECRET'
RunAsPreJob: false
We have two files in our repo: a Bicep template and a parameters JSON file, since .bicepparam 's don't support key vault references. The parameters file is already referencing the secret we need, but the template doesn't seem to be using it during deployment. The pipeline's service principal has the Key Vault Secrets User role on the key vault's scope.
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"SECRET_PARAM": {
"reference": {
"keyVault": {
"id": "/subscriptions/SUBSCRIPTION/resourceGroups/RESOURCEGROUP/providers/Microsoft.KeyVault/vaults/KEYVAULT"
},
"secretName": "SECRET"
}
}
}
}
I'm guessing I should be passing the retrieved secret value from the pipeline task to the deployment task but I'm not sure how to do that when I'm already referencing a params file.
Let me know if any additional detail is needed. I'd appreciate any guidance you all can provide.
Upvotes: 0
Views: 293
Answers (2)
Reputation: 1521
I think you should not pass out the secret cross. you can use inner refer. using existing resource and the use getSecret('xxx'). below is the offical example:
param sqlServerName string
param adminLogin string
param subscriptionId string
param kvResourceGroup string
param kvName string
resource kv 'Microsoft.KeyVault/vaults@2023-02-01' existing = {
name: kvName
scope: resourceGroup(subscriptionId, kvResourceGroup )
}
module sql './sql.bicep' = {
name: 'deploySQL'
params: {
sqlServerName: sqlServerName
adminLogin: adminLogin
adminPassword: kv.getSecret('vmAdminPassword')
}
}
Here is the docs
Upvotes: 0
Reputation: 16163
I think you mix two different approaches for parameters.
1. Reference to AKV from the parameters file.
In this case, you do not need to use AzureKeyVault@2. Check this manual: https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli
2. Update parameters during deployment
In this case, you do not need a secret reference in the parameter file. Just store it as a usual value. Then you may update it in the AzureResourceManagerTemplateDeployment@3 task.
As an example:
The parameter (just with some default value)
"parameters": {
"SECRET_PARAM": {
"value": "SECRET"
}
}
The ARM task
- task: AzureResourceManagerTemplateDeployment@3
displayName: 'ARM Template deployment: Resource Group scope'
inputs:
azureResourceManagerConnection: 'MY_CONNECTION'
subscriptionId: 'MY_ID'
resourceGroupName: 'MY_RG'
location: 'West Europe'
csmFile: '$(System.DefaultWorkingDirectory)/my_template_or_bicep_file'
csmParametersFile: '$(System.DefaultWorkingDirectory)/mt_parameters_file'
overrideParameters: '-SECRET_PARAM "$(SECRET)"'
Upvotes: 1
Related Questions
- Permission Denied Error in Databricks Key Vault
- Unable to Retrieve Multiple Secrets from Azure Key Vault in Azure DevOps Pipeline
- How to manage Azure Key Vault with secrets without values in ARM template?
- Set key vault access policies for multiple object ids using parameter (array type) via ARM Template
- Error when deploying ARM template that includes certificate stored in key vault
- How to pass DevOps release secrets to ARM for Key Vault Deployment
- Key vault references in ARM parameter array
- Can't create and reference a keyvault secret in the same ARM template deployment
- Azure RM Template. Deploy copy VM with Key Vault password