Home > Mobile >  Reading Azure Key Vault secret into ARM template via parameter file
Reading Azure Key Vault secret into ARM template via parameter file

Time:01-27

I've set up the problem in the these two files. The template is simply POSTing the parameter with a fake url to check the value.

read_secret_params.json

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "ftpPrivateKey": {
            "reference": {
                "keyVault": {
                    "id": "/subscriptions/dummyid/resourceGroups/dummyrg/providers/Microsoft.KeyVault/vaults/myvault"
                },
                "secretName": "mysecret"
            }
        }
    }
}

read_secret_template.json

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "ftpPrivateKey": {
            "type": "securestring"
        }
    },
    "resources": [
        {
            "type": "Microsoft.Logic/workflows",
            "apiVersion": "2019-05-01",
            "name": "read-secret",
            "location": "East US",
            "properties": {
                "definition": {
                    "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
                    "contentVersion": "1.0.0.0",
                    "triggers": {
                        "Recurrence": {
                            "recurrence": {
                                "frequency": "Week",
                                "interval": 1
                            },
                            "type": "Recurrence"
                        }
                    },
                    "actions": {
                        "HTTP": {
                            "inputs": {
                                "body": "[parameters('ftpPrivateKey')]",
                                "method": "POST",
                                "uri": "https://dummysite.com"
                            },
                            "runAfter": {},
                            "type": "Http"
                        }
                    },
                    "outputs": {}
                },
                "parameters": {}
            }
        }
    ]
}

The first issue is, when I try to deploy via the portal, no value comes thru for the parameter so it can't create it due to the validation error "Validation failed. Required information is missing or not valid.". Is this because it's not able to read the secret, permissions thing? NOTE: the key vault is also created by myself so I am the owner.

enter image description here

I can get around the validation error and successfully deploy by adding a default value as follows:-

    "parameters": {
        "ftpPrivateKey": {
            "type": "securestring",
            "defaultValue": "privateKeyDefault"
        }
    },

But when I run the logic app, it's using the default value in the POST command so it seems like it's not pulling the secret out of the key vault.

enter image description here

So in summary I have 2 questions:-

  1. Has this test proved that the logic app is not reading the secret OR might it have successfully read the secret but is for some reason displaying the default value in the POST command?
  2. If it is not reading the secret, can anyone suggest a cause fix?

CodePudding user response:

If I deploy using the Azure CLI then it works i.e. gets the secret from Azure Key Vault. If deployed in the portal then it always uses the default value.

  • Related