CI/CD for Azure Key Vault

Question

CI/CD for Azure Key Vault

Pavan G 186

Hi Experts,

I am very new to Azure World.

I have created the key vault in my subscription and saved a few secrets which will be used by the logic app. I was able to create an ARM template for deployment using parameters and referring to this key-vault for the Dev environment and it is working fine.

Now, the challenge is the secret changes across environments and I have the below queries in my mind?

How do deploy this key vault to higher environments?
Do I need to create the key vault manually for the environments and refer to them in the variables section of the pipeline?
If I deploy the key vault to a higher environment, Is it only the key-vault secret name that will be deployed, and do I need to store the secrets manually?
In case, the secrets get changed do I have to run the pipeline or store the secrets manually?

Any inputs or leads will be really helpful for me.

Regards,
Pavan

1 answer

Your answer

Answer 1

Sam Cogan 10,812 Microsoft Employee Volunteer Moderator

You can deploy key vaults using ARM templates, this includes the vault itself and any secrets, keys etc. You will want to look at creating an ARM template (or to be honest I would recommend you move to using Bicep now) to create this, and parameterising this template so you can pass in any values that will change between environments. This way you can have a single template and different parameter sets for each environment.

Pavan G 186 Reputation points

2021-12-12T15:30:58.32+00:00

Hi @Sam Cogan ,

Thanks a lot for the response.
I found this MSDN document and was using the below ARM template JSON to deploy key vault secrets. However, I would still be using the value of the secrets as parameters in each environment parameters deployment file. I was wondering now if there is any way if we can secure that as well. Also, I find it a lot of manual effort is required when we have to deploy 100s of key secrets. Could you please provide any useful blog/documentation links to use Bicep?

ARM Template used to deploy key vault secrets:

{
"type": "Microsoft.KeyVault/vaults/secrets",
"apiVersion": "2021-04-01-preview",
"name": "[format('{0}/{1}', parameters('KeyVaultName'), parameters('KeySecretName'))]",
"properties": {
"value": "[parameters('KeySecretValue')]"
},
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', parameters('KeyVaultName'))]"
]
}

Regards,
Pavan

Share via

CI/CD for Azure Key Vault

1 answer

Your answer