Using dynamically linked Azure Key Vault secrets in your ARM template
I’m in the process of adding an ARM template to an open source project I’m contributing to. All of this was pretty straightforward, until I needed to add some secrets and connection strings to the project.
While it’s totally possible to integrate these secrets in your ARM parameter file or in your continuous deployment pipeline, I wanted to do something a bit more advanced and secure. Of course, Azure Key Vault comes to mind! I’ve already used this in some of my other ASP.NET projects and Azure Functions, so nothing new here.
The thing is, the projects I’ve worked on, always retrieved the secrets from Key Vault like the following example:
"adminPassword": {
"reference": {
"keyVault": {
"id": "/subscriptions/<subscription-id>/resourceGroups/examplegroup/providers/Microsoft.KeyVault/vaults/<vault-name>"
},
"secretName": "examplesecret"
}
}
While this isn’t a bad thing per se, I don’t like having the subscription-id hardcoded in this configuration, especially when doing open source development. Mainly because other people can’t access my Key Vault, so they’ll run into trouble when deploying this template. Therefore, I started investigating if this subscription id can be added dynamically.
Introducing the Dynamic Id
Lucky for us the ARM-team has us covered! By changing the earlier mentioned configuration a bit you’re able to use the function subscription().subscriptionId to get your own subscription id.
"adminPassword": {
"reference": {
"keyVault": {
"id": "[resourceId(subscription().subscriptionId, parameters('vaultResourceGroup'), 'Microsoft.KeyVault/vaults', parameters('vaultName'))]"
},
"secretName": "[parameters('secretName')]"
}
},
Downside though, this doesn’t work in your parameter file!
It also doesn’t work in your normal ARM template!
So what’s left? Well, using ARM templates in combination with nested templates! Nested templates are the key to using this dynamic id. Nested templates aren’t something I envy using, because it’s easy to get lost in all of those open files.
Well, enough sample configuration for now, let’s see how this looks like in an actual file.
{
"apiVersion": "2015-01-01",
"name": "nestedTemplate",
"type": "Microsoft.Resources/deployments",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[concat(parameters('templateBaseUri'), 'my-nested-template.json')]",
"contentVersion": "1.0.0.0"
},
"parameters": {
"resourcegroup": {
"value": "[parameters('resourcegroup')]"
},
"hostingPlanName": {
"value": "[parameters('hostingPlanName')]"
},
"skuName": {
"value": "[parameters('skuName')]"
},
"skuCapacity": {
"value": "[parameters('skuCapacity')]"
},
"websiteName": {
"value": "[parameters('websiteName')]"
},
"vaultName": {
"value": "[parameters('vaultName')]"
},
"mySuperSecretValueForTheAppService": {
"reference": {
"keyVault": {
"id": "[resourceId(subscription().subscriptionId, parameters('resourcegroup'), 'Microsoft.KeyVault/vaults', parameters('vaultName'))]"
},
"secretName": "MySuperSecretValueForTheAppService"
}
}
}
}
}
To use the dynamic id, you have to add it to the parameters-section of the nested template resource. Anywhere else in the process is too early or too late to retrieve those values. Ask me how I know.
The observant reader might also notice me using the templateLink property with an URI inside.
"templateLink": {
"uri": "[concat(parameters('templateBaseUri'), 'my-nested-template.json')]",
"contentVersion": "1.0.0.0"
}
This is because you can only use these functions when the nested template is located on a (public) remote location. Another reason why I don’t really like this approach. Linking to a remote location means you can’t use the templates which are located inside the artifact package you are deploying. There is an issue on the feedback portal asking to support local file locations, but it’s not implemented (yet).
For now we just have to copy the template(s) to a remote location during the CI-build process (or do some template-extraction-and-publication-magic in the deployment pipeline). Whenever the CD pipeline runs, it’ll have to try to use the templates which are pushed to this remote location. Sounds like a lot of work, that’s because it is!
You might wonder how does this nested template look like? Well, it looks a lot like a ’normal’ template
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"resourcegroup": {
"type": "string"
},
"hostingPlanName": {
"type": "string",
"minLength": 1
},
"skuName": {
"type": "string",
"defaultValue": "F1",
"allowedValues": [
"F1",
"D1",
"B1",
"B2",
"B3",
"S1",
"S2",
"S3",
"P1",
"P2",
"P3",
"P4"
],
"metadata": {
"description": "Describes plan's pricing tier and instance size. Check details at https://azure.microsoft.com/en-us/pricing/details/app-service/"
}
},
"skuCapacity": {
"type": "int",
"defaultValue": 1,
"minValue": 1,
"metadata": {
"description": "Describes plan's instance count"
}
},
"websiteName": {
"type": "string"
},
"vaultName": {
"type": "string"
},
"mySuperSecretValueForTheAppService": {
"type": "securestring"
}
},
"variables": {},
"resources": [{
"apiVersion": "2015-08-01",
"name": "[parameters('hostingPlanName')]",
"type": "Microsoft.Web/serverfarms",
"location": "[resourceGroup().location]",
"tags": {
"displayName": "HostingPlan"
},
"sku": {
"name": "[parameters('skuName')]",
"capacity": "[parameters('skuCapacity')]"
},
"properties": {
"name": "[parameters('hostingPlanName')]"
}
},
{
"apiVersion": "2015-08-01",
"name": "[parameters('webSiteName')]",
"type": "Microsoft.Web/sites",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/serverFarms/', parameters('hostingPlanName'))]"
],
"tags": {
"[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/', parameters('hostingPlanName'))]": "empty",
"displayName": "Website"
},
"properties": {
"name": "[parameters('webSiteName')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('hostingPlanName'))]"
},
"resources": [{
"name": "appsettings",
"type": "config",
"apiVersion": "2015-08-01",
"dependsOn": [
"[resourceId('Microsoft.Web/Sites/', parameters('webSiteName'))]"
],
"tags": {
"displayName": "appSettings"
},
"properties": {
"MySuperSecretValueForTheAppService": "[parameters('mySuperSecretValueForTheAppService')]"
}
}]
}
],
"outputs": {}
}
This nested template is responsible for creating an Azure App Service with an Application Setting containing the secret we retrieved from Azure Key Vault in the main template. Pretty straightforward, especially if you’ve worked with ARM templates before.
If you want to see the complete templates & solution, check out my GitHub repository with this sample templates.
The deployment
All of this configuration is fun and games, but does it actually do the job?
One way to find out and that’s setting up a proper deployment pipeline! I’m most familiar using VSTS, so that’s the tool I’ll be using.
Create a new Release, add a new artifact to the location of your templates and create a new environment.
For testing purposes, this environment only needs to have a single step based on the Create or Update Resource Group-task.
In this task you will need to select the ARM Template file, along with the parameters file you want to use. Of course, all of the secrets I don’t want to specify, or want to override, I’m placing in the Override template parameters-section. Most important is the parameter for the templateBaseUri. This parameter contains the base URI to the location where the nested template(s) are stored.
It makes sense to override this setting as it’s quite possible you don’t want to use the GitHub location over here, but some location on a public blob container created by your CI-build.
Now save this pipeline and queue a release.
If all goes well, the deployment will fail with a KeyVaultParameterReferenceNotFound error.
At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-debug for usage details. Details: BadRequest:
{"error": {"code": "KeyVaultParameterReferenceNotFound","message": "The specified KeyVault '/subscriptions/[subscription-id]/resourceGroups/nested-template-sample/providers/Microsoft.KeyVault/vaults/nested-template-vault' could not be found. Please see https://aka.ms/arm-keyvault for usage details."}} undefined
Task failed while creating or updating the template deployment.
Or a bit more visual:
This makes sense as we’re trying to retrieve a secret from the Azure Key Vault which doesn’t exist yet!
If you head down to the Azure Portal and check out the resource group you’ll notice both the resource group and the Key Vault has been created.
![Key Vault in Portal[7]](https://jan-v.nl/files/388e74dc-e760-414c-8b02-3c63885eb144.png)
The only thing which we need to do is add the MySuperSecretValueForTheAppService to the Key Vault.
![Secret in Key Vault[9]](https://jan-v.nl/files/aaa1d576-63cd-42c1-b46e-4ad4a87500fb.png)
Once it’s added we can try the release again. All steps should be green now.
![Green deployment[11]](https://jan-v.nl/files/eb457d3d-c674-4b58-b77f-cc05ab38e332.png)
You can verify in the resource group both the hosting plan and the App Service have been created now.
![All resources in portal[13]](https://jan-v.nl/files/080ed730-a566-4375-b3de-6ba08eef9775.png)
Zooming in on the Application Settings of the App Service you’re also able to see the secret value which has been retrieved from Azure Key Vault!
![Secret value in App Settings[15]](https://jan-v.nl/files/31661732-1efc-4d30-be39-64f25302d58b.png)
Proof the dynamic id is working when using the dynamic id and a nested template!
Too bad a securestring is still rendered in plain text on the portal, but that’s a completely different issue.
It has taken me quite some time to figure out all of the above steps. Probably because I’m no CI/CD expert, so I hope the above post will help others who aren’t experts on the matter also.