Connecting dev subscription's container registry while deploying the appservice in test subscription.

Bicky Shaw 1 Reputation point

I am a devOps Engineer, deploying three app services in dev and test environment using azure bicep and github action. While deploying the app services in dev I am connecting to dev subscription through github action p[ipeline and while deploying test app services we are connecting to test subscription through github action but the point is that we need to connect the app services to container registry and the container registry exist only in dev subcription then while deploying the appservice to test subcription we need to connect container registry of dev subcription how to do this through bicep script one way is to directly give the dockerRegistryUrl to appsetting in bicep code but I do not want to hard code the url in bicep script?

Azure Container Registry
Azure Container Registry
An Azure service that provides a registry of Docker and Open Container Initiative images.
406 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,038 questions
GitHub Training
GitHub Training
GitHub: A web-based hosting service for software development and version control using Git. Acquired by Microsoft in 2018.Training: Instruction to develop new skills.
9 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Deepanshu katara 5,530 Reputation points

    Hi ,

    1. In the GitHub Actions workflow, you would need to:
    • Authenticate to Azure using a service principal or managed identity.
    • Retrieve the secret value from Azure Key Vault.
    • Pass the secret value as a parameter to the Bicep script during deployment. For ex- .
    - name: Get secret from Azure Key Vault
      run: |
        # Azure CLI command to retrieve secret value
        SECRET_VALUE=$(az keyvault secret show --name ${containerRegistrySecretName} --vault-name ${keyVaultName} --query value -o tsv)
        echo "##vso[task.setvariable variable=DOCKER_REGISTRY_URL]$SECRET_VALUE"
    - name: Deploy Bicep template
      run: bicep deploy --template-file main.bicep --parameters dockerRegistryUrl=${{ env.DOCKER_REGISTRY_URL }}
    1. In your Bicep script (main.bicep):
    param dockerRegistryUrl string
    resource appService 'Microsoft.Web/sites@2021-02-01' = {
      name: 'example-appservice'
      location: 'WestUS'
      properties: {
        siteConfig: {
          appSettings: [
              name: 'DOCKER_REGISTRY_URL'
              value: dockerRegistryUrl

    This approach ensures that your Bicep script remains dynamic and does not contain hardcoded sensitive information. Instead, it fetches the required values securely during deployment from Azure Key Vault.

    Kindly accept answer if it helps , Thanks!