Azure Key Vault is a pivotal cloud service to store and share secrets. It safeguards cryptographic keys and secrets for cloud applications and services. Despite its significance, integrating it with Bicep, an Azure resource management tool, might seem daunting. Hence, this guide simplifies the retrieval of secrets from Azure Key Vault using Bicep, focusing on secure and efficient secret management.
Bicep stands as an open-source Domain Specific Language (DSL). It is tailored for declaratively deploying Azure resources, aiming to simplify Azure Resource Manager (ARM) templates. Accessing secrets in Azure Key Vault is a common operation with Bicep. It’s essential for managing sensitive information securely.
First, ensure your secrets are correctly stored in Azure Key Vault. Adhere to best practices on permissions and access policies for secure storage.
We initially discussed using a parameters file referencing the Key Vault secret. You start by declaring a secure variable in your Bicep file. Then, create a parameters file. In it, specify the secret’s value through the Key Vault’s resource identifier and the secret’s name.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"mySecret": {
"reference": {
"keyVault": {
"id": "/subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/"
},
"secretName": ""
}
}
}
}
Alternatively, you can use the getSecret function. This method directly obtains a Key Vault secret and passes its value to a string parameter. It’s especially useful for modules. The function must target a Microsoft.KeyVault/vaults resource. It’s applicable only with parameters marked with @secure().
First, declare your parameters. Then, utilize the kv.getSecret call to fetch the administrator password directly:
param sqlServerName string
param adminLogin string
@secure()
param adminPassword string = kv.getSecret('vmAdminPassword')
resource kv 'Microsoft.KeyVault/vaults@2023-02-01' existing = {
name: kvName
scope: resourceGroup(subscriptionId, kvResourceGroup)
}
resource sqlServer 'Microsoft.Sql/servers@2020-11-01-preview' = {
name: sqlServerName
location: resourceGroup().location
properties: {
administratorLogin: adminLogin
administratorLoginPassword: adminPassword
version: '12.0'
}
}
This method streamlines the process by embedding secret retrieval within the Bicep file, thus, eliminating the need for a separate parameters file.
When using a module, such as an SQL deployment, you can reference an existing Key Vault and use getSecret to pass the secret as a parameter:
module sql './sql.bicep' = {
params: {
adminPassword: kv.getSecret('vmAdminPassword')
}
}
Furthermore, the getSecret function can also be utilized in a .bicepparam file for more dynamic deployments.
Incorporating Azure Key Vault secrets into your Bicep deployments can be achieved through either referencing a parameters file or utilizing the getSecret function. Both methods provide secure, automated secret management, streamlining your deployment processes. Always adhere to security best practices, such as secure transport methods and access control, to maintain the confidentiality and integrity of your secrets.