Similar to referencing the ResourceId of the Key Vault-
"keyVaultResourceId": "[concat(resourceGroup().id, '/providers/Microsoft.KeyVault/vaults/', parameters('keyVaultName'))]",
Is it possible to reference, in the same resource group, a previously created key vault key version into an ARM template that is deploying a User Managed encrypted Datalake?
I'm trying something like this below:
"keyVaultResourceId": "[concat(resourceGroup().id, '/providers/Microsoft.KeyVault/vaults/', parameters('keyVaultName'))]",
"encryptionKeyName": "[parameters('encryptionKeyName')]",
"encryptionKeyVersion": "[list(resourceGroup(), '/providers/Microsoft.KeyVault/vaults/', parameters('keyVaultName'), parameters('encryptionKeyName')), '2016-10-01').encryptionKeyVersion ]"
What is the correct json syntax supposed to look like?
Related
I took the template from quickstart templates (https://github.com/Azure/azure-quickstart-templates/blob/master/101-functions-managed-identity/azuredeploy.json).
I would like to add "#Microsoft.KeyVault(SecretUri=secret_uri_with_version)" application setting to my keyvault within ARM template. How can I do this? Lets say my keyvault name is "MyKeyVault" and my secret name is "MySecret". I found from MS docs that this kind of reference should work:
"WEBSITE_CONTENTAZUREFILECONNECTIONSTRING": "[concat('#Microsoft.KeyVault(SecretUri=', reference(variables('keyVaultResourceId')).secretUriWithVersion, ')')]",
But I just get error message "The resource 'Microsoft.KeyVault/vaults/MyKeyVault' is not defined in the template."
I am creating resource Id with this line:
"keyVaultResourceId": "[resourceId(subscription().subscriptionId, parameters('vaultResourceGroupName'), 'Microsoft.KeyVault/vaults', parameters('keyVaultName'))]"
ah, ok I see, you are trying to get reference from the Key Vault, not from the secret. the key vault obviously doesn't have that property, because its not a secret, its a key vault. So you need to construct a reference to your secret:
reference(resourceId('rg','Microsoft.KeyVault/vaults/secrets','kvname','secretname').secretUriWithVersion)
If I have an Azure ARM template that can create:
Azure Container Registry
Azure Key Vault
Is there a way for the username and password for the Azure Container Registry to be automatically be added to the Azure Key Vault using ARM templates?
Is there some way to refer to the Azure Container Registry username and password secrets in ARM templates for this purpose?
UPDATE
#EdBoykin's answer is correct, this is what I ended up with:
{
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "[concat(parameters('key_vault_name'), '/AzureContainerRegistryKey1')]",
"apiVersion": "2015-06-01",
"properties": {
"contentType": "text/plain",
"value": "[listCredentials(resourceId('Microsoft.ContainerRegistry/registries', parameters('container_registry_name')), '2017-10-01').passwords[0].value]"
},
"dependsOn": [
"[concat('Microsoft.KeyVault/vaults/', parameters('key_vault_name'))]",
"[concat('Microsoft.ContainerRegistry/registries/', parameters('container_registry_name'))]"
]
}
Muhammad,
To create the secrets in KeyVault you will need to create an ARM template that looks something like this. Make sure to update the 'dependson' section so this resource depends on your ACR being created first. The username is going to be the ACR resource name. So, whatever you set that to in your ARM script, you can store in your key vault as a key vault secret.
For the passwords, or keys, this is what you do. Here is a sample template for adding a KeyVault secret
{
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "[concat(variables('keyVaultName'), '/{YourACRKey1SecretName}')]",
"apiVersion": "2015-06-01",
"properties": {
"contentType": "text/plain",
"value": "[listCredentials(resourceId('Microsoft.ContainerRegistry/registries', parameters('YourACRName')), '2017-10-01').passwords[0].value]"
},
"dependsOn": []
}
{YourACRKey1SecretName} should be changed to the secret name for your ACR Key1 value.
To set the other key in your keyvault, create another key vault secret resource with a new name and use this for the value:
For Key 2
[listCredentials(resourceId('Microsoft.ContainerRegistry/registries', parameters('YourACRName')), '2017-10-01').passwords[1].value]
The following github deployment allows me to deploy a simple Windows VM by retrieving the password that is stored in a Key Vault. Therefore the password is never put in plain text in the template parameter file.
Can someone explain what is meant with the statement:
'the password is never put in plain text in the template parameter
file?'
If you don't use Key Vault, even adminPassword type is securestring, When you enter the adminPassword during deployment, it is showing as plaintext, not ******. It is not safe. But if you use Key Vault, the password stores in Key Vault and encrypted save, other could not see your password.
In template, you should configure your template using Key Vault like below:
"adminPassword": {
"reference": {
"keyVault": {
"id": "/subscriptions/XXXXXXX/resourceGroups/resourceGroupName/providers/Microsoft.KeyVault/vaults/vaultName"
},
"secretName": "secretName"
}
},
Please refer to the similar question:How to hide password in shell script duing ARM template deployment.
I was trying to add Azure key vault integration with our ARM deployment, so we can keep all password in Azure Key-Vault.
I was following this to try to access secret (adminPassword) I have created in Azure KeyVault (dSentienceAnalytics). Here is my template
I tried to deploy this template through Powershell, but it asked me to enter value for variable “adminPassword”, which it supposed to retrieve from Azure key vault.
Do you see what I am missing here?
You cannot use a KeyVault reference in the template itself, only in the parameters file. So your template will not look any differently if you're using KeyVault, the adminPassword parameter will simply be defined as a secureString. The template's use of the password can look exactly like this:
https://github.com/Azure/azure-quickstart-templates/blob/master/101-vm-simple-linux/azuredeploy.json
The parameters file, is where the reference will be used. The first code sample here:
https://azure.microsoft.com/en-us/documentation/articles/resource-manager-keyvault-parameter/#reference-a-secret-with-static-id
Is showing you the parameters file, not the template file's parameter object (it is a bit confusing).
For a really simple example, see the KeyVaultUse.json and KeyVaultUse.parameters.json here:
https://github.com/rjmax/ArmExamples/tree/master/keyvaultexamples
Note that there's nothing unique or different about KeyVaultUse.json, the "key" is in the parameters file.
That help?
You can create a linked template and pass the keyvault secret to that as a parameter. Your linked template will need to be accessible to Azure at some uri.
"name": "linked-template",
"type": "Microsoft.Resources/deployments",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri":"<your linked template uri, e.g. a blob-store file with a sas token>"
},
"parameters": {
"password": {
"reference": {
"keyVault": {
"id": "[variables('keyVaultId')]"
},
"secretName": "password"
}
},
You will need the id of your key vault, e.g. here, it's assume to be in a variable constructed from parameters on the top-level template where the user specifies a resource group and name for the key-vault:
"deploymentKeyVaultId" : "[resourceid(subscription().subscriptionId,
parameters('keyVaultResourceGroup'), 'Microsoft.KeyVault/vaults',
parameters('keyVaultName'))]",
What are you trying to deploy? If it is an app service you can retrieve the secret from Key Vault with the combination of leveraging Managed Service Identity and access policy on the Key Vault. Here's how to turn on MSI authentication for App Service and add access policy
In the App Service can add something like this:
{
"apiVersion": "2018-11-01",
"name": "appsettings",
"type": "config",
"dependsOn": [
"[resourceId('Microsoft.Web/Sites', WEBSITE NAME))]",
"Microsoft.ApplicationInsights.AzureWebSites",
"[resourceId('Microsoft.KeyVault/vaults/', variables('keyVaultName'))]",
"[resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'), variables('secretName'))]"
],
"properties": {
"ConnectionSecret": "[concat('#Microsoft.KeyVault(SecretUri=', reference(SECRET NAME).secretUriWithVersion, ')')]"
}
I'm trying to derive the Registration Key and Url of my Azure Automation DSC account inside the ARM template at runtime. I've tried using the same syntax as you would for a storage account, ie.
listKeys(resourceId('Microsoft.Storage/storageAccounts', 'StorageAccountName'), '2015-05-01-preview').key1)
by doing this:
listKeys(resourceId('Microsoft.Automation/automationAccounts', 'AutomationAccountName'), '2015-05-01-preview').key1)
but no luck (it appears the function simply returns null). This would naturally make provisioning an automation account and and a VM and wiring up the VM to the automation account in the same template easy as pie. Has anyone successfully got something similar to work?
As per this GitHub Ticket, this is still under development.
https://github.com/azureautomation/automation-packs/issues/7
With version 2015-10-31 of the Azure Automation API, the following seems to work.
Getting the registration URL:
reference(resourceId('Microsoft.Automation/automationAccounts/', 'AutomationAccountName'), '2015-10-31').RegistrationUrl
Getting the Primary key:
listKeys(resourceId('Microsoft.Automation/automationAccounts/', 'AutomationAccountName'), '2015-10-31').keys[0].value
Getting the Secondary key:
listKeys(resourceId('Microsoft.Automation/automationAccounts/', 'AutomationAccountName'), '2015-10-31').keys[1].value
For reference, the object returned from the listKeys() template function for an Automation account resource looks like this (can easily be found by adding an output value using listKeys() to the outputs section of an ARM template):
{
"keys": [
{
"KeyName": "Primary",
"Permissions": "Full",
"Value": "VALUE OF PRIMARY KEY"
},
{
"KeyName": "Secondary",
"Permissions": "Full",
"Value": "VALUE OF SECONDARY KEY"
}
]
}