is it possible to retrieve a Storage Account’s Access Key when deploying the Storage Account via a Bicep module?
My parent bicep creates a storage account using a module file, and it then needs an Access Key but I cannot get it working in a way that’s secure:
Parent Bicep
module functionAppStorageModule 'storage-account.bicep' = {
name: 'functionAppStorage'
params: {
...
}
}
resource functionApp 'Microsoft.Web/sites@2021-03-01' = {
name: functionAppName
location: location
kind: 'functionapp'
properties: {
siteConfig: {
appSettings: [
{
name: 'store_key'
value: ???
}
]
}
}
}
I can get it working if I set an output on the module file, and use that output in the parent bicep:
Module Bicep
output storageAccountStr string = 'AccountKey=${listKeys(storageAccount.id, storageAccount.apiVersion).keys[0].value}'
Parent Bicep
properties: {
siteConfig: {
appSettings: [
{
name: 'store_key'
value: functionAppStorageModule.outputs.storageAccountStr
}
]
}
}
But this does not seem secure to me as the key appears in plain text in Deployments’ Output section on the Azure portal.
Alternatively, I may work around by deploying the storage account beforehand without the use of a module file, as the use of modules seems to be the issue, but just would like to know what I’m trying above is impossible?
Thanks
2
Answers
If you create the function app in a different module, this should work.
storage-account.bicep
file:function-app.bicep
file:Then in your
main.bicep
:I found the answer. Here’s an example of how to rewrite the external
listKeys()
call to use a helper function from the resource.Old:
New: