Azure Bicep and Key Vault Parameters
Azure Bicep and Key Vault Parameters

Azure Bicep – Referring Secrets from Key Vault in Parameter File

In the previous article, we have seen how a key vault can be used to store sensitive values and how to use those values in the bicep file. In this article, we are going to see how to use values from key vault in bicep parameters file.

What is bicep parameters file ?

A bicep parameters file is a JSON file which can be used to supply the parameter values required for a bicep deployment. We already have covered this in one of the previous posts.

The only issue is – as it is a JSON file, it stores the parameter values in plain text. So, if there are any sensitive values, those values would not be secure. For storing sensitive values, we can use Azure Key Vault. In this article, we are going to see how the value from Azure Key Vault can be referred in the parameters file.

Current State of Bicep File and Parameter File

We are going to use this bicep file, first.bicep, shown in the code snippet given below.

And below is the bicep parameters file, first.parameters.json which has the hardcoded parameter values as of now.

Key Vault and Secret Value

As we have seen in the previous post, for using the secrets from key vault as parameter value, the parameter from bicep file must be decorated with @secure() decorator. We already have decorated parameter storageAccountName with this decorator.

We also have added that in the key vault in previous post. Below are the commands for creating a new key vault or updating an existing key vault to support its usage with bicep files.

The Azure CLI script for adding the parameter value to key vault is given below for the ready reference.

What do we need to do to refer the values from key vault ?

It’s simple. We need to identify the parameter which is supposed to get the value from the key vault. For getting the value of this parameter from the key vault, we need to add reference to the key vault by providing its resource identifier and then the name of the secret from the key vault.

Let’s go to Azure Portal and navigate to our key vault. On the Overview blade, select JSON view, which will open a new panel. On the new panel, you should be able to view the resource ID for the key vault. Copy it.

The code snippet given below shows the modified version of parameters file. It has a reference object which has keyvault:id and secretName properties. The keyvault:id is basically the resource id that we copied from portal and secretName is the name of secret.

Run and Verify

Now, let’s try Visual Studio Code Bicep Extension to deploy the first.bicep file. Right click on the file and select Deploy the Bicep File option. This should show you wizard to select subscription name and resource group name. Then it would ask to provide the parameters file. Browse and select the parameters file that we have created.

Once this is done, the deployment should be successful. Now, you can login to Azure Portal and view that resources are created successfully. Now that the demo is running successfully, do not forget to clean the resources.

I hope you find this information helpful. Let me know your thoughts.

Leave a Reply Cancel reply