Within a pipeline run, we are attempting to use the retrieved key vault secret in an ARM template deployment. The secret value is a SAS URL.
We first retrieved all secrets using the AzureKeyVault@2 task
- task: AzureKeyVault@2
displayName: 'Retrieve all secrets necessary for install'
inputs:
azureSubscription: 'SUBSCRIPTION'
KeyVaultName: 'KEYVAULT'
SecretsFilter: 'SECRET'
RunAsPreJob: false
We have two files in our repo: a Bicep template and a parameters JSON file, since .bicepparam ‘s don’t support key vault references. The parameters file is already referencing the secret we need, but the template doesn’t seem to be using it during deployment. The pipeline’s service principal has the Key Vault Secrets User role on the key vault’s scope.
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"SECRET_PARAM": {
"reference": {
"keyVault": {
"id": "/subscriptions/SUBSCRIPTION/resourceGroups/RESOURCEGROUP/providers/Microsoft.KeyVault/vaults/KEYVAULT"
},
"secretName": "SECRET"
}
}
}
}
I’m guessing I should be passing the retrieved secret value from the pipeline task to the deployment task but I’m not sure how to do that when I’m already referencing a params file.
Let me know if any additional detail is needed. I’d appreciate any guidance you all can provide.
2
Answers
I think you mix two different approaches for parameters.
1. Reference to AKV from the parameters file.
In this case, you do not need to use
AzureKeyVault@2
. Check this manual: https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli2. Update parameters during deployment
In this case, you do not need a secret reference in the parameter file. Just store it as a usual value. Then you may update it in the
AzureResourceManagerTemplateDeployment@3
task.As an example:
The parameter (just with some default value)
The ARM task
I think you should not pass out the secret cross. you can use inner refer.
using existing resource and the use getSecret(‘xxx’). below is the offical example:
Here is the docs