While developing an ARM template to deploy multiple app services and want to use the key vault to host multiple secret, and we need to include 110 references in the template.
While doing a POC, there is an error message:
The deployment has specified too many Key Vault parameter references.
The maximum of Key Vault parameter references is '30'
Is it possible to go beyond 30?
Your first option should be to consider why you need so many secrets and how you can come up with a better strategy.
Failing that, on the quick and dirty, you can wrap multiple secrets in the a string.
E.g.:
MySecret: value1|value2|value3|value4|value5
They you can use the ARM Template functions to pull out the value you need.
Look in to the array and split functions.
Hopefully you can keep related secrets together and organise them neatly.
Related
I am using Terraform for creating resources within Azure and attaching current time-stamp for enforcing unique names for resources like storage account, key vault etc in the .tf file.
Problem is, for existing resources, when you expect Terraform apply to do nothing, these resources are being destroyed and recreated since the time-stamp has changed between last execution and the current one!
Wondering what's the best strategy to enforce uniqueness, dynamically.
The initial texts for these resources come from Azure Pipeline variables and I'm appending current time-stamp for adding uniqueness.
According to Cloud Adoption framework you could define a convention like the one shown below.
Terraform example
name = "${local.prefix}-${var.location}-app-plan"
https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming
I also suggest you to look the naming azure plugin which can help you create unique names across resources
https://registry.terraform.io/modules/Azure/naming/azurerm/latest
I am trying store secrets in azure vault. I used azure sdk apis and I can successfully store/retrieve using those. I wanted to know if it's possible to categorise/group set of secrets under same tag and store them in some path.
I want to group some secrets used by one service, store them in one storage path. The same way for other services is separate storage paths. I couldn't find any way of doing that. Is that possible in azure vault?
In short: no, this is not possible.
Also: you cannot get secrets and their values in a list. If you want to get a list, you'll only get a SecretItem array and you have to call GetSecret on each secret you want to get the actual value for.
You could, however, implement something like this yourself by defining a template for the name of the secret that incorporates the name of the thing you would like to group on. Something like this:
$"{serviceName}-secrets-{secretName}"
This way, you can filter the list to only hold the secrets for the service you want to get them for and get their values.
When I reference more than 30 keys from my global Key Vault in ARM template parameter file, then I get the following error in my deployments.
The deployment has specified too many KeyVault parameter references. The maximum of KeyVault parameter references is '30'.
Please help me how to override this limit or what is the alternative to reference more than 30 secrets/keys from Key Vault?
Just create a nested deployment that will reference 30 more secrets and return those as output into the main one, that way you can work around that restriction
One alternative is to store multiple values in a single secret as JSON. You can load that single secret from key vault and then use the json() template function to convert it into an object. Pass the secret to a linked template as a string, then use the json function in that linked template.
This limit has been increased to 256, which is currently the max number of parameters allowed in a template. See: https://github.com/bmoore-msft/AzureRM-Samples/blob/master/keyvault-max-references/azuredeploy.json for a sample.
What are best practices for :
managing app settings
including connection string-access key for other resources
inside/outside of the resource group?
Some of the examples utilize using listKeys function inside templates, but I'm wondering if there is better way of doing this, especially, when I need to include resource access keys outside of my subscription and resource group.
Also, the example utilizes concat functino, is there a way to retrieve the whole connectionstring-access key string from the resource directly? or maybe store them inside keyvault of external paramters file?
Thanks
Best Practice is to use the functions (list*, reference), here: https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-functions#resource-functions
They will work across subscriptions provided you have the full resourceId passed in.
For the other questions, it would help to see the code you're thinking about to provide advice...
In terms of managing app settings, I think it would depends on what type of settings you are referring, is it sensitive? Do you want it to be securely stored?
If the key is sensitive to your business requirement, then it wouldn't be suitable for having it directly in your function app in plaintext, what you could do is to use listkeys to retrieve keys while provisoning your keyvault and then get them in runtime from your function probably is better approach.
I need a way to store hierarchical data in Azure Key Vaults so that I have a structure similar to:
AppName
/Prod
/Data
/Test
/Data
AppName2
/Prod
/Data
...
As far as I can tell I can only store a flat data structure. I am looking to be able to store data similar to Vault by HashiCorp which allows hierarchies.
For instance, in Vault by HashiCorp, I can get data using a 'path': "app/test/TestConnection" and I get the value at the endpoint of the path: TestConnection.
Any suggestion for alternatives would be fine or instruction on how to do what I need to do with Key Vault.
Thanks
Update
I tried some of the suggestions: MySettings--SomeSection--SecretThing, Multiple Vaults and neither works in the manner I need as described above. Not faulting the input but what I want to do just is not available in Key Vault.
#juunas Turns out that your suggestion may be the best solution. I only just discovered in another article that MySettings--SomeSection--Secret translates into something similar in .NET Core:
MySettings: {
SomeSection: "Secret"
}
Since my client wants to use Key Vault we are probably going to go with storing json structured data per a single secret per application.
Any other suggestions are welcome
Key Vault does not support hierarchies for secrets.
To emulate structure, you can do something similar what .NET Core does with its Key Vault configuration provider. You can specify a secret with a name like Settings--SomeCategory--SomeValue, and it'll correspond to the following JSON when loaded:
{
"Settings": {
"SomeCategory": {
"SomeValue": "value goes here"
}
}
}
So essentially you can use a separator to emulate the structure, similar also to how Azure Blob Storage emulates folders.
I would advice against mixing different environment secrets within the same key vault. Access cannot be restricted to some keys, as access is granted and denied on the Key Vault level only. You probably don't want the same persons/applications to be able to access all the different environments, but instead grant access to the production environment to a selected group of users and applications only, and vice versa.
As the Key Vault service by itself doesn't really cost anything, we at least have taken the approach to create one Key Vault per environment, i.e. dev, test and production. Within that key vault the secrets are "structured" by a prefix, i.e. AppName-Data and AppName2-Data. This gives the added benefit, that when moving from dev to test and to production, the references to the secrets don't need to be changed, as they have the same name in all the environments. Just the reference to the Key Vault needs to be changed, and all is set!