In past few articles, I have been writing about Azure Bicep. We already have discussed about bicep parameter file in one of the past articles in this series. In this article, we are going to talk about how to use Azure Key Vault to store sensitive values and how to make those values available to the bicep file.
Why do we need this ?
The bicep parameter file is one place where we can define all the parameter values. We can then pass this file as input while executing any bicep file, so that we do not need to provide each and every individual parameter value separately.
There is only one problem – the bicep parameter file is a JSON file and it stores all the values in plain text. So, if you want to use any sensitive values (like some passwords / API keys / etc.), it is not good idea to place those values in that file. In those cases, we can use Azure Key Vault. The Key Vault can contain all the sensitive values. Then we can read those values in the bicep file.
In this article, we will create a key vault and then we will store some parameter values in it. Then we will demonstrate how the values can be provided to the bicep deployment.
Create Azure Key Vault
First of all, it is not necessary to create a new key vault , just for using it with bicep. If you have an existing key vault, you need to make sure that enabledForTemplateDeployment is set to true on that key vault.
Below is the script for creating a new key vault. It also contains script to update an existing key vault.
For more information about key vault, you can refer the below pages from the documentation:
- Set and retrieve a secret by using CLI
- Set and retrieve a secret by using PowerShell
- Set and retrieve a secret by using the portal
- Set and retrieve a secret by using .NET
- Set and retrieve a secret by using Node.js
Bicep Template For Demo
We are going to use the same templates that we have used for modules demo. There is a first.bicep file, which contains code to create a storage account.
Then there is another bicep file which uses the above module, as shown in the code snippet given below. Currently, the parameter values are hardcoded in this code snippet. But the plan is to get the storage account name from the key vault that we created.
Add Secret to Key Vault
In the code snippet given below, there are two Azure CLI commands to insert value for the storage account name parameter that we are going to fetch from the key vault.
Note that storage account name is not really a sensitive values. Some examples of sensitive values may be credentials (passwords or certificates) or connection strings, etc. This article is just for demonstrating how to use key vault, and that’s why, just for demonstration purpose, we are going to assume that storage account name is sensitive value for this example and we want to keep it safe in the key vault.
Use Secrets from Key Vault in Bicep
Now, let’s try to use the secret value in the bicep file. For accessing the values from key vault, we can use the getSecret function to obtain a key vault secret and pass the value to a string parameter of a module. But there is one problem. This value can be assigned to only those parameters which are decorated with @secure() parameter decorator.
The modified first.bicep file is shown below.
Now, let’s move to the other file which is supposed to call the first.bicep module. It should be in the same directory. We need to modify this file and need to use an existing resource i.e. key vault. Then we need to use its symbolic name to call getSecret function.
Below is the modified code of the file:
Permissions Needed
The user who deploys the Bicep file must have the Microsoft.KeyVault/vaults/deploy/action permission for the scope of the resource group and key vault. The Owner and Contributor roles both grant this access. If you created the key vault, you’re the owner and have the permission.
Run and Verify
Now, let’s try Visual Studio Code Bicep Extension to deploy the module-demo.bicep file. Right click on the file and select Deploy the Bicep File option. This should show you wizard to select subscription name and resource group name. Once this is done, the deployment should be successful. Now, you can login to Azure Portal and view that resources are created successfully.
Now that the demo is running successfully, do not forget to clean the resources.
I hope you find this information helpful. Let me know your thoughts.
