Reference Key Vault secrets using Azure Bicep

Security plays a big role in IT. When you write almost everything as code, you know it is a no-go to write passwords, personal access tokens or other secrets hard-coded and commit these in your source control. To avoid a check-in of secrets in your source control, you can use Azure Key Vault to “host” these secrets for you.

Azure Key Vault is an Azure service for securely storing secrets. A secret can be a personal access token (PAT), API keys, passwords or certificates. If you work with Azure this is the recommended service to handle your secrets management. 

Get secret from Key Vault

In this scenario we are working with an existing key vault. In this key vault I added the secret adminPassword. This secret is going to be the admin password for a virtual machine.

Key Vault hosting the adminPassword secret

First we have to retrieve the key vault. To do this we use the existing keyword in Bicep. We scoped the location of the key vault using the subscriptionId and resource group name.

resource myKv 'Microsoft.KeyVault/vaults@2021-11-01-preview' existing = {
name: 'kv-john-2022'
scope: resourceGroup(subId, rgName)
}

Now we have done this, there is a reference to the key vault kv-john-2022. The key vault resource contains some properties and a getSecret method. This is the method we need to retrieve the secret from the key vault.

List of Key Vault properties and methods

The method getSecret has one required parameter called secretName and also contains an optional parameter called secretVersion.  To call the method use the symbolic name myKv and refer to the getSecret method .getSecret(secretName).

resource myKv 'Microsoft.KeyVault/vaults@2021-11-01-preview' existing = {
name: 'kv-john-2022'
scope: resourceGroup(subId, rgName)
}
module vm 'virtualMachine.bicep' = {
name: 'my-vm'
params: {
adminPassword: myKv.getSecret('adminPassword')
}
}

Output

To protect the potential leak of secrets you cannot output these secrets. This will result in an error:

Error output when “outputting” secrets

Conclusion

Flow of retrieving secrets through Azure Resource Manager

To retrieve your secrets using infrastructure as code you need to define the key vault name and secret name in the parameter file and refer this to the Bicep template file. The Bicep template contains reference to the key vault and secret. The Resource Manager executes the getSecret() method defined in the Bicep template. The queried key vault will return the secret and the Azure Resource Manager replaces this with the adminPassword.

This is the Bicep best practice way to retrieve secrets from a specified key vault in your infrastructure as code. 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s