Question 305109 in Azure Question posted in
The official documentation to get you started can be found here.

Azure – How to pass secrets retrieved from Key Vault to ARM template deployment during a pipeline run?

Within a pipeline run, we are attempting to use the retrieved key vault secret in an ARM template deployment. The secret value is a SAS URL.

We first retrieved all secrets using the AzureKeyVault@2 task

  - task: AzureKeyVault@2
    displayName: 'Retrieve all secrets necessary for install'
    inputs:
      azureSubscription: 'SUBSCRIPTION'
      KeyVaultName: 'KEYVAULT'
      SecretsFilter: 'SECRET'
      RunAsPreJob: false

We have two files in our repo: a Bicep template and a parameters JSON file, since .bicepparam ‘s don’t support key vault references. The parameters file is already referencing the secret we need, but the template doesn’t seem to be using it during deployment. The pipeline’s service principal has the Key Vault Secrets User role on the key vault’s scope.

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "SECRET_PARAM": {
        "reference": {
            "keyVault": {
                "id": "/subscriptions/SUBSCRIPTION/resourceGroups/RESOURCEGROUP/providers/Microsoft.KeyVault/vaults/KEYVAULT"
            },
                "secretName": "SECRET"
            }
        }
    }
}

I’m guessing I should be passing the retrieved secret value from the pipeline task to the deployment task but I’m not sure how to do that when I’m already referencing a params file.

Let me know if any additional detail is needed. I’d appreciate any guidance you all can provide.

Tags:

2

Answers


  1. 0

    I think you mix two different approaches for parameters.

    1. Reference to AKV from the parameters file.

    In this case, you do not need to use AzureKeyVault@2. Check this manual: https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli

    2. Update parameters during deployment

    In this case, you do not need a secret reference in the parameter file. Just store it as a usual value. Then you may update it in the AzureResourceManagerTemplateDeployment@3 task.

    As an example:

    The parameter (just with some default value)

    "parameters": {
        "SECRET_PARAM": {
           "value": "SECRET"
        }
    }

    The ARM task

    - task: AzureResourceManagerTemplateDeployment@3
  displayName: 'ARM Template deployment: Resource Group scope'
  inputs:
    azureResourceManagerConnection: 'MY_CONNECTION'
    subscriptionId: 'MY_ID'
    resourceGroupName: 'MY_RG'
    location: 'West Europe'
    csmFile: '$(System.DefaultWorkingDirectory)/my_template_or_bicep_file'
    csmParametersFile: '$(System.DefaultWorkingDirectory)/mt_parameters_file'
    overrideParameters: '-SECRET_PARAM "$(SECRET)"'
    Login or Signup to reply.
  2. 0

    I think you should not pass out the secret cross. you can use inner refer.
    using existing resource and the use getSecret(‘xxx’). below is the offical example:

    param sqlServerName string
param adminLogin string

param subscriptionId string
param kvResourceGroup string
param kvName string

resource kv 'Microsoft.KeyVault/vaults@2023-02-01' existing = {
  name: kvName
  scope: resourceGroup(subscriptionId, kvResourceGroup )
}

module sql './sql.bicep' = {
  name: 'deploySQL'
  params: {
    sqlServerName: sqlServerName
    adminLogin: adminLogin
    adminPassword: kv.getSecret('vmAdminPassword')
  }
}

    Here is the docs

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search