How to get KeyVault secret when deploying using BICEP

DataEngineer 20 Reputation points
2023-09-01T11:45:40.79+00:00

I have a bicep template and deploying multiple resource and do not want to harcode password for Azure SQL and Synapse. Thought of using secure string params and utilize getSecret function as mentioned below.

https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/key-vault-parameter?tabs=azure-cli

resource kv 'Microsoft.KeyVault/vaults@2023-02-01' existing = {
  name: kvName
  scope: resourceGroup(subscriptionId, kvResourceGroup )
}

How ever when I try to do a reference for the existing Keyvault as mentioned above I am getting the following error

KeyVaultParameterReferenceNotFound - The specified KeyVault '/subscriptions/abcd-1234-defg-6789/resourceGroups/ABCKeyVaultPRODNERG/providers/Microsoft.KeyVault/vaults/abckeyvaultprodne' could not be found. Please see https://aka.ms/arm-keyvault for usage details.

I did comment the reference and checked with hardcoded passwords its working fine , between the reference resource group and keyvault name have checked using whatIf are exactly same

Alternate Approach

That did not work for me atleast as I deploying at subscription level and cannot modify my bicep. so I started using Azure Key Vault Tast in release pipeline.

But after fetching the values from Key Vault Task not able to use in ARM override template by default the null vaule from bicep params are being passed

#Your build pipeline references an undefined variable named ‘SqlPassword’. Create or edit the build pipeline for this YAML file, define the variable on the Variables tab. See https://go.microsoft.com/fwlink/?linkid=865972
#Your build pipeline references an undefined variable named ‘SywPassword’. Create or edit the build pipeline for this YAML file, define the variable on the Variables tab. See https://go.microsoft.com/fwlink/?linkid=865972

Between when I look the yaml of ARM it shows the variable is not present.

Any suggestions or Help

Thanks

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
895 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AirGordon 5,985 Reputation points
    2023-09-01T12:18:21.3533333+00:00

    You need to ensure that scopes are not set when using existing references. See the issue on GitHub: https://github.com/Azure/bicep/issues/3734

    Today, in the ARM runtime, it is not possible to deploy a resource into a different scope than the target of the deployment (with a few exceptions). We sometimes refer to this as "scope-escaping". It's something we are interested in doing in the future, but no ETAs atm.

    You should be setting the scope when calling the module where your keyvault code is written.

    0 comments