I took the template from quickstart templates (https://github.com/Azure/azure-quickstart-templates/blob/master/101-functions-managed-identity/azuredeploy.json).
I would like to add "#Microsoft.KeyVault(SecretUri=secret_uri_with_version)" application setting to my keyvault within ARM template. How can I do this? Lets say my keyvault name is "MyKeyVault" and my secret name is "MySecret". I found from MS docs that this kind of reference should work:
"WEBSITE_CONTENTAZUREFILECONNECTIONSTRING": "[concat('#Microsoft.KeyVault(SecretUri=', reference(variables('keyVaultResourceId')).secretUriWithVersion, ')')]",
But I just get error message "The resource 'Microsoft.KeyVault/vaults/MyKeyVault' is not defined in the template."
I am creating resource Id with this line:
"keyVaultResourceId": "[resourceId(subscription().subscriptionId, parameters('vaultResourceGroupName'), 'Microsoft.KeyVault/vaults', parameters('keyVaultName'))]"
ah, ok I see, you are trying to get reference from the Key Vault, not from the secret. the key vault obviously doesn't have that property, because its not a secret, its a key vault. So you need to construct a reference to your secret:
reference(resourceId('rg','Microsoft.KeyVault/vaults/secrets','kvname','secretname').secretUriWithVersion)
Related
I am new to Azure Bicep.I am trying to use the key vault secret name and value for the virtual machine (Window) credential. But I am facing a problem with passing the name and value of the key vault as a parameter to a local variable. Anyone who can guide me regarding this matter?
#description('Password for the Virtual Machine.')
#secure()
param adminPassword string = keyVault.getSecret()
You can't use the getSecret() function in the main.bicep file (i.e. as a defaultValue) - you can only use that in a module within a bicep file. #Deep has a link for that...
If you want to pass the secret to main.bicep you need to use a parameter reference in a parameter file, see: https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-use-key-vault#edit-the-parameters-file
In Azure Portal > Key vaults > Secrets, I have secrets with json values (I did not create it). Something like:
...
"SubscriptionId": "XXXXXXX",
"BaseAuthUri": "https://login.microsoftonline.com/XXXXX/oauth/authorize?client_id="&api-version=
...
I would like to add another url value to it. How can I edit the
secrets with Azure portal?
How the value of api-version set?
Thanks
You can only change secret attributes such as expiration date, activation date. You cannot change secret's value programatically or via Azure Portal. If you want to update your secret without creating a new vault (meaning the secret identifier still remains intact) you can create a new version of the existing secret.
If the secret value contains the variables to get authorization code, you don't need api version because the URI you call is the authorization endpoint.
Similar to referencing the ResourceId of the Key Vault-
"keyVaultResourceId": "[concat(resourceGroup().id, '/providers/Microsoft.KeyVault/vaults/', parameters('keyVaultName'))]",
Is it possible to reference, in the same resource group, a previously created key vault key version into an ARM template that is deploying a User Managed encrypted Datalake?
I'm trying something like this below:
"keyVaultResourceId": "[concat(resourceGroup().id, '/providers/Microsoft.KeyVault/vaults/', parameters('keyVaultName'))]",
"encryptionKeyName": "[parameters('encryptionKeyName')]",
"encryptionKeyVersion": "[list(resourceGroup(), '/providers/Microsoft.KeyVault/vaults/', parameters('keyVaultName'), parameters('encryptionKeyName')), '2016-10-01').encryptionKeyVersion ]"
What is the correct json syntax supposed to look like?
The following github deployment allows me to deploy a simple Windows VM by retrieving the password that is stored in a Key Vault. Therefore the password is never put in plain text in the template parameter file.
Can someone explain what is meant with the statement:
'the password is never put in plain text in the template parameter
file?'
If you don't use Key Vault, even adminPassword type is securestring, When you enter the adminPassword during deployment, it is showing as plaintext, not ******. It is not safe. But if you use Key Vault, the password stores in Key Vault and encrypted save, other could not see your password.
In template, you should configure your template using Key Vault like below:
"adminPassword": {
"reference": {
"keyVault": {
"id": "/subscriptions/XXXXXXX/resourceGroups/resourceGroupName/providers/Microsoft.KeyVault/vaults/vaultName"
},
"secretName": "secretName"
}
},
Please refer to the similar question:How to hide password in shell script duing ARM template deployment.
I am trying to define an ARM template for my resource group. Ultimately I'm trying to replicate what I have to do manually by navigating to the SSL certificates tab for an App Service within the portal.
I've uploaded a PFX file to the Secrets tab of my KeyVault. I've granted Get access to the global RM service principal.
At the moment this is what my Microsoft.Web/certificates resource looks like in my template. It is just defined as a resource at the top level of the resource group, and not as a sub-resource of a website or anything like that:
{
"type":"Microsoft.Web/certificates",
"name": "signingCredentials",
"location": "[parameters('region')]",
"apiVersion": "2015-08-01",
"properties": {
"keyVaultId": "<My KeyVault ID>",
"keyVaultSecretName": "<My Secret Name>"
}
}
When I attempt to deploy this template I receive the message:
The parameter KeyVault Certificate has an invalid value
I haven't been able to find any documentation on this parameter and what value it would be expecting. I'm assuming it's missing from the properties section in the resource. So far anything I've found on the subject only references keyVaultId and keyVaultSecretName.
What am I doing wrong? Is what I'm trying to accomplish even possible?
The problem does not appear to be caused by my template, but something with how the certificate was uploaded to the KeyVault through the UI. This article provided me a script to upload the file directly to the KeyVault using powershell.
$pfxFilePath = "F:\KeyVault\PrivateCertificate.pfx"
$pwd = "[2+)t^BgfYZ2C0WAu__gw["
$flag = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable
$collection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
$collection.Import($pfxFilePath, $pwd, $flag)
$pkcs12ContentType = [System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12
$clearBytes = $collection.Export($pkcs12ContentType)
$fileContentEncoded = [System.Convert]::ToBase64String($clearBytes)
$secret = ConvertTo-SecureString -String $fileContentEncoded -AsPlainText –Force
$secretContentType = 'application/x-pkcs12'
Set-AzureKeyVaultSecret -VaultName akurmitestvault -Name keyVaultCert -SecretValue $Secret -ContentType $secretContentType # Change the Key Vault name and secret name
Using the Get-AzureKeyVault script from Jambor's answer, I am unable to see any difference between the certificate uploaded in the UI. I even changed the content type of my uploaded certificate from Certificate to application/x-pcks2 and it still did not work. Seems like it might possibly a bug in the UI, or just a difference in how the powershell script handles it.
The parameter KeyVault Certificate has an invalid value
It seems that this issue is not caused by your template. We can refer to this article to check it. From the error message, it shows me that the certification name is incorrect. We can use Get-AzureKeyVaultSecret to get its name. The following is details:
As above screenshot, the value "kvcertificate" is the value we expected.