Parameters file function for Bicep

Bicep provides a function called readEnvironmentVariable() that allows you to retrieve values from environment variables. It also offers the flexibility to set a default value if the environment variable doesn't exist. This function can only be used in the .bicepparam files. For more information, see Bicep parameters file.

getSecret

getSecret(subscriptionId, resourceGroupName, keyVaultName, secretName, secretVersion)

Returns a secret from an Azure Key Vault. Use this function to pass a secret to a secure string parameter of a Bicep file.

Note

You can also use the keyVaultName.getSecret(secretName) function from within a .bicep file.

using './main.bicep'

param secureUserName = getSecret('exampleSubscription', 'exampleResourceGroup', 'exampleKeyVault', 'exampleSecretUserName')
param securePassword = getSecret('exampleSubscription', 'exampleResourceGroup', 'exampleKeyVault', 'exampleSecretPassword')

You get an error if you use this function with string interpolation.

A namespace qualifier (az) can be used, but it's optional, because the function is available from the default Azure Namespace.

Parameters

Parameter Required Type Description
subscriptionId Yes string The ID of the subscription that has the key vault resource.
resourceGroupName Yes string The name of the resource group that has the key vault resource.
keyVaultName Yes string The name of the key vault.
secretName Yes string The name of the secret stored in the key vault.
secretVersion No string The version of the secret stored in the key vault.

Return value

The value for the secret.

Example

The following .bicepparam file has a securePassword parameter that has the latest value of the <secretName> secret.

using './main.bicep'

param securePassword = getSecret('exampleSubscription', 'exampleResourceGroup', 'exampleKeyVault', 'exampleSecretPassword')

The following .bicepparam file has a securePassword parameter that has the value of the <secretName> secret, but it's pinned to a specific <secretValue>.

using './main.bicep'

param securePassword = getSecret('exampleSubscription', 'exampleResourceGroup', 'exampleKeyVault', 'exampleSecretPassword', 'exampleSecretVersion')

readEnvironmentVariable

readEnvironmentVariable(variableName, [defaultValue])

Returns the value of the environment variable, or set a default value if the environment variable doesn't exist. Variable loading occurs during compilation, not at runtime.

Namespace: sys.

Parameters

Parameter Required Type Description
variableName Yes string The name of the variable.
defaultValue No string A default string value to be used if the environment variable doesn't exist.

Return value

The string value of the environment variable or a default value.

Remarks

The following command sets the environment variable only for the PowerShell process in which it's executed. You get BCP338 from Visual Studio Code.

$env:testEnvironmentVariable = "Hello World!"

To set the environment variable at the user level, use the following command:

[System.Environment]::SetEnvironmentVariable('testEnvironmentVariable','Hello World!', 'User')

To set the environment variable at the machine level, use the following command:

[System.Environment]::SetEnvironmentVariable('testEnvironmentVariable','Hello World!', 'Machine')

For more information, see Environment.SetEnvironmentVariable Method.

Examples

The following examples show how to retrieve the values of environment variables.

use './main.bicep'

param adminPassword = readEnvironmentVariable('admin_password')
param boolfromEnvironmentVariables = bool(readEnvironmentVariable('boolVariableName','false'))

Next steps

For more information about Bicep parameters file, see Parameters file.