I have an ARM template which syncs secret value from source Keyvault into Destination one.

I also want to sync secret tags, but ARM reference that I use for 'sourceKV.secret.tags' retrieval does not work

[reference(resourceId('subscriptionId', 'resourceGroup', 'Microsoft.KeyVault/vaults/secrets', 'SourceKV', 'Secret'), '2021-04-01-preview', 'Full').tags.tagName]

any ideas what can be the issue, or what is the correct form to retrieve tags during ARM template deployment?

CodePudding user response：

These work for me:

"outputs": {
  "tags": {
    "type": "string",
    "value": "[reference('/subscriptions/xxxx/resourceGroups/yyyy/providers/Microsoft.KeyVault/vaults/zzzz/secrets/mysecret', '2022-07-01', 'Full').tags]"
  },
  "tagValue": {
    "type": "string",
    "value": "[reference('/subscriptions/xxxx/resourceGroups/yyyy/providers/Microsoft.KeyVault/vaults/zzzz/secrets/mysecret', '2022-07-01', 'Full').tags.hello]"
  },
  "tagValue2": {
    "type": "string",
    "value": "[reference(resourceId(subscription().subscriptionId, resourceGroup().name, 'Microsoft.KeyVault/vaults/secrets', 'xxxx', 'mysecret'), '2021-04-01-preview', 'Full').tags.hello]"
  }
}

Will result in:

"outputs": {
  "tagValue": {
    "type": "String",
    "value": "world"
  },
  "tagValue2": {
    "type": "String",
    "value": "world"
  },
  "tags": {
    "type": "Object",
    "value": {
      "hello": "world"
    }
  }
}

Also works with the API version you used. It is important that you use 'Full', otherwise you won't get the tags. Note that you can use this syntax anywhere in your template. I just used it in the outputs because it is good for testing.

CodePudding user response：

As I found out it is not possible to use Reference function for setting tags property value for keyvault as valid usages state reference func only works if it is used inside properties block or for outputs; but as tags are not part of properties instead of returning value reference fun returns just string "reference(resource...)"