skip to Main Content

Within a pipeline run, we are attempting to use the retrieved key vault secret in an ARM template deployment. The secret value is a SAS URL.

We first retrieved all secrets using the AzureKeyVault@2 task

  - task: AzureKeyVault@2
    displayName: 'Retrieve all secrets necessary for install'
    inputs:
      azureSubscription: 'SUBSCRIPTION'
      KeyVaultName: 'KEYVAULT'
      SecretsFilter: 'SECRET'
      RunAsPreJob: false

We have two files in our repo: a Bicep template and a parameters JSON file, since .bicepparam ‘s don’t support key vault references. The parameters file is already referencing the secret we need, but the template doesn’t seem to be using it during deployment. The pipeline’s service principal has the Key Vault Secrets User role on the key vault’s scope.

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "SECRET_PARAM": {
        "reference": {
            "keyVault": {
                "id": "/subscriptions/SUBSCRIPTION/resourceGroups/RESOURCEGROUP/providers/Microsoft.KeyVault/vaults/KEYVAULT"
            },
                "secretName": "SECRET"
            }
        }
    }
}

I’m guessing I should be passing the retrieved secret value from the pipeline task to the deployment task but I’m not sure how to do that when I’m already referencing a params file.

Let me know if any additional detail is needed. I’d appreciate any guidance you all can provide.

2

Answers


  1. I think you mix two different approaches for parameters.

    1. Reference to AKV from the parameters file.

    In this case, you do not need to use AzureKeyVault@2. Check this manual: https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli

    2. Update parameters during deployment

    In this case, you do not need a secret reference in the parameter file. Just store it as a usual value. Then you may update it in the AzureResourceManagerTemplateDeployment@3 task.

    As an example:

    The parameter (just with some default value)

    "parameters": {
            "SECRET_PARAM": {
               "value": "SECRET"
            }
        }
    

    The ARM task

    - task: AzureResourceManagerTemplateDeployment@3
      displayName: 'ARM Template deployment: Resource Group scope'
      inputs:
        azureResourceManagerConnection: 'MY_CONNECTION'
        subscriptionId: 'MY_ID'
        resourceGroupName: 'MY_RG'
        location: 'West Europe'
        csmFile: '$(System.DefaultWorkingDirectory)/my_template_or_bicep_file'
        csmParametersFile: '$(System.DefaultWorkingDirectory)/mt_parameters_file'
        overrideParameters: '-SECRET_PARAM "$(SECRET)"'
    
    Login or Signup to reply.
  2. I think you should not pass out the secret cross. you can use inner refer.
    using existing resource and the use getSecret(‘xxx’). below is the offical example:

    param sqlServerName string
    param adminLogin string
    
    param subscriptionId string
    param kvResourceGroup string
    param kvName string
    
    resource kv 'Microsoft.KeyVault/vaults@2023-02-01' existing = {
      name: kvName
      scope: resourceGroup(subscriptionId, kvResourceGroup )
    }
    
    module sql './sql.bicep' = {
      name: 'deploySQL'
      params: {
        sqlServerName: sqlServerName
        adminLogin: adminLogin
        adminPassword: kv.getSecret('vmAdminPassword')
      }
    }
    

    Here is the docs

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search