access secret in keyvault from customData (cloud-init) section in ARM template

0
votes

Is it possible to get a secret from the key vault from inside the custom data (cloud-init) portion of a parameter file in an ARM template? This is what I am trying to accomplish:

I need to inject a config.json file to a vm to a specific location, for simplicity, let's say /tmp. I am thinking about using cloud-init.

the config.json file looks like this:

#other cloud-init directives here....
"user": {
        "username": "admin",
        "password": "password",
        "role": "system_administrator",
        "type": "local"
    }

it goes without saying that I am looking for a way to not hard code the password inside the file that I will create with cloud-init. Is it possible to call a secret from inside a cloud-init configuration?

If the above is not possible, can I create a variable in my arm template (that gets the password from the key vault) and then reference that variable in the cloud-init configuration?

If that is not possible either, does anyone have a recommendation on how to possibly create a config file in cloud-init that has a password?

Any ideas are welcome, ultimately the arm template will be deployed using azure DevOps, so perhaps there is another way? or maybe cloud-init isn't the way to go?

2
azurearm-templatecloud-init
Have you tried following the Microsoft Tutorial for access Keyvault Secrets during an ARM deployment? You can find the documentation hereConnor Dickson
thanks @ConnorDickson I did see that one. I was hoping to somehow get the secret into cloud-init though, but I am starting to think it's not possible.Rafael Ruales
I think this may be what I am looking for: stackoverflow.com/questions/60745930/… Will try and update.Rafael Ruales
This certainly works: stackoverflow.com/questions/60745930/… although it would be nice to be able to write out the cloud-init directives in the parameter file, as opposed to cramming them on a single line. If anyone knows if you can put your cloud-init config directly onto the parameters file or the template directly, let me know!Rafael Ruales

2 Answers

1
votes

I'm not sure what your issue is exactly, but you can use this article to figure out how to use the key vault secrets in the template, its pretty straight forward.

Couple of notes:

  1. you will have to use concat to insert the secret into a single line you mention in your question
  2. I'm reasonably sure you need to provide the cloud-init text as a single line encoded in base64, there is no way around that
  3. you can also do something like this in cloud-init, which can ease your pain a bit:
#include
http://somesite.com/path/to/cloud-init.txt
0
votes

I'd recommend wrapping a Managed Identity to the VM that has AccessPolicy READ to the Keyvault. Then just pull the value via Powershell or API (invoke-restmethod) as an inline command in the CustomData field.