Secure VM password with Key Vault

Azure Public Test Date Azure Public Test Result

Azure US Gov Last Test Date Azure US Gov Last Test Result

Best Practice Check Cred Scan Check

Deploy To Azure Deploy To Azure US Gov Visualize

This template allows you to deploy a simple Windows VM by retrieving the password that is stored in a Key Vault. Therefore the password is never put in plain text in the template parameter file.

Add Secret to the Key Vault

You can add the password to the Key Vault using the below commands:


$Secret = ConvertTo-SecureString -String 'Password' -AsPlainText -Force
Set-AzKeyVaultSecret -VaultName 'Contoso' -Name 'ITSecret' -SecretValue $Secret


az keyvault secret set --vault-name Contoso --name ITSecret --value 'password'

Enable Key Vault for VM and Template secret access

After this you'll need to enable the Key Vault for template deployment. You can do this using the following commands:

Set-AzKeyVaultAccessPolicy -VaultName Contoso -EnabledForTemplateDeployment
az keyvault update  --name Contoso --enabled-for-template-deployment true

Tags: Microsoft.Storage/storageAccounts, Microsoft.Network/publicIPAddresses, Microsoft.Network/networkSecurityGroups, Microsoft.Network/virtualNetworks, Microsoft.Network/networkInterfaces, Microsoft.Compute/virtualMachines