Hi ,
- In the GitHub Actions workflow, you would need to:
- Authenticate to Azure using a service principal or managed identity.
- Retrieve the secret value from Azure Key Vault.
- Pass the secret value as a parameter to the Bicep script during deployment. For ex- .
- name: Get secret from Azure Key Vault
run: |
# Azure CLI command to retrieve secret value
SECRET_VALUE=$(az keyvault secret show --name ${containerRegistrySecretName} --vault-name ${keyVaultName} --query value -o tsv)
echo "##vso[task.setvariable variable=DOCKER_REGISTRY_URL]$SECRET_VALUE"
- name: Deploy Bicep template
run: bicep deploy --template-file main.bicep --parameters dockerRegistryUrl=${{ env.DOCKER_REGISTRY_URL }}
- In your Bicep script (
main.bicep
):
param dockerRegistryUrl string
resource appService 'Microsoft.Web/sites@2021-02-01' = {
name: 'example-appservice'
location: 'WestUS'
properties: {
serverFarmId: exampleServicePlan.id
siteConfig: {
appSettings: [
{
name: 'DOCKER_REGISTRY_URL'
value: dockerRegistryUrl
}
]
}
}
}
This approach ensures that your Bicep script remains dynamic and does not contain hardcoded sensitive information. Instead, it fetches the required values securely during deployment from Azure Key Vault.
Kindly accept answer if it helps , Thanks!