Accessing KeyVault secrets in Bicep

Tanguy SCHOUBERT
Published by Tanguy SCHOUBERT
Category : Bicep
29/02/2024

Azure Key Vault is a pivotal cloud service to store and share secrets. It safeguards cryptographic keys and secrets for cloud applications and services. Despite its significance, integrating it with Bicep, an Azure resource management tool, might seem daunting. Hence, this guide simplifies the retrieval of secrets from Azure Key Vault using Bicep, focusing on secure and efficient secret management.

 

Introduction to Bicep

Bicep stands as an open-source Domain Specific Language (DSL). It is tailored for declaratively deploying Azure resources, aiming to simplify Azure Resource Manager (ARM) templates. Accessing secrets in Azure Key Vault is a common operation with Bicep. It’s essential for managing sensitive information securely.

 

Preparing the Azure Key Vault

 

First, ensure your secrets are correctly stored in Azure Key Vault. Adhere to best practices on permissions and access policies for secure storage.

 

Method 1: Reading a Secret with a Parameters File

 

We initially discussed using a parameters file referencing the Key Vault secret. You start by declaring a secure variable in your Bicep file. Then, create a parameters file. In it, specify the secret’s value through the Key Vault’s resource identifier and the secret’s name.

 

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "mySecret": {
      "reference": {
        "keyVault": {
          "id": "/subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/"
        },
        "secretName": ""
      }
    }
  }
}

 

Method 2: Using the getSecret Function

 

Alternatively, you can use the getSecret function. This method directly obtains a Key Vault secret and passes its value to a string parameter. It’s especially useful for modules. The function must target a Microsoft.KeyVault/vaults resource. It’s applicable only with parameters marked with @secure().

 

Example: Creating an Azure SQL Server

First, declare your parameters. Then, utilize the kv.getSecret call to fetch the administrator password directly:

 

param sqlServerName string
param adminLogin string

@secure()
param adminPassword string = kv.getSecret('vmAdminPassword')

resource kv 'Microsoft.KeyVault/vaults@2023-02-01' existing = {
  name: kvName
  scope: resourceGroup(subscriptionId, kvResourceGroup)
}

resource sqlServer 'Microsoft.Sql/servers@2020-11-01-preview' = {
  name: sqlServerName
  location: resourceGroup().location
  properties: {
    administratorLogin: adminLogin
    administratorLoginPassword: adminPassword
    version: '12.0'
  }
}

 

This method streamlines the process by embedding secret retrieval within the Bicep file, thus, eliminating the need for a separate parameters file.

When using a module, such as an SQL deployment, you can reference an existing Key Vault and use getSecret to pass the secret as a parameter:

module sql './sql.bicep' = {
  params: {
    adminPassword: kv.getSecret('vmAdminPassword')
  }
}

 

Furthermore, the getSecret function can also be utilized in a .bicepparam file for more dynamic deployments.

 

Conclusion

 

Incorporating Azure Key Vault secrets into your Bicep deployments can be achieved through either referencing a parameters file or utilizing the getSecret function. Both methods provide secure, automated secret management, streamlining your deployment processes. Always adhere to security best practices, such as secure transport methods and access control, to maintain the confidentiality and integrity of your secrets.