Azure: store resource's secret in Key Vault created by ARM template

0
votes

I have ARM template which provision Data Lake, I would like to store its secret in key vault. I assume that I should use the output section in the ARM, JSON like this, but how should I store it in an already existing (!) Key Vault?

"outputs": {
    "storageAccountName": {
        "type": "string",
        "value": "[variables('storageAccountName')]"
    },
    "storageAccountConnectionString": {
        "type": "string",
        "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountResourceId'), variables('storageAccountApiVersion')).keys[0].value)]"
    }
}
1
azureazure-resource-managerazure-keyvaultazure-template
Good answer below, but a side point - do not put secrets in the output of a template deployment - outputs can be seen by users with "read" permissions on the deployment (e.g. resource group) so it will expose the secret to those users. Instead, output the resourceId() of the resource that contains the secret and use it in the template where it's needed (example in the answer below) - bmoore-msft

1 Answers

0
votes

You can add Values to Key Vault using ARM template and also read from them in ARM template.

Add below resource for each key vault secret:

{
      "type": "Microsoft.KeyVault/vaults/secrets",
      "location": "[parameters('location')]",
      "name": "[concat(parameters('keyVaultName'), '/', 'api', '--storageAccountConnectionString')]",
      "apiVersion": "parameters('apiVersion')",
      "dependsOn": [
        "[variables('keyVaultResourceId')]",
        "[variables('serviceBusResourceId')]"
      ],
      "properties": {
        "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountResourceId'), variables('storageAccountApiVersion')).keys[0].value)]",
        "contentType": "text/plain"
      }
    },

Read this secret after deployment through parameter value in ARM template:

"storageAccountConnectionString": {
      "reference": {
        "keyVault": {
          "id": "/subscriptions/YOUR_SUBSCRIPTION_ID/resourceGroups/RESOURCE_GROUP/providers/Microsoft.KeyVault/vaults/KEY_VAULT_NAME"
        },
        "secretName": "api--storageAccountConnectionString"
      }
    },