How to use Azure Key Vault Secrets in an Azure Resource Manager Template
This video will walk through the process of using secrets stored in Azure Keyvault as part of an ARM template deployment in a secure manner. We will cover: 1. Setting up the Key Vault to work with ARM Deployments 2. Passing in secrets using parameters
Prerequisites include: An Azure Subscription An Azure Key Vault At a minimum, the user deploying the template must have the Microsoft.KeyVault/vaults/deploy/action permission on the Key Vault
To be able to use secrets that are stored in key vault as part of our Azure resource, manager deployment. The first thing we need to do is actually enable the vault so that Azure Resource manager can talk to it to do that, we go into the access policies option. Then the show advanced access policies and in here we have a number of tick boxes that one. We want is this one in the middle enable access to Azure Resource manager for template deployment. We took that and click save that now allows Azure Resource manager to be able to talk to the vault at the time of deployment. We're now able to go over and look in VS code at our deployment template and see how we actually pull them in. Over VS code we've got an arm template ready to go is a fairly simple. One all it's doing is deploying a web application plan and then a web application itself. What we want to do is pass in a database connection string to this web app. So they can talk to Azure SQL. We want that connection string to come from a secret in key vault and to pass it in a secure manner. So the first thing we gotta do is configure a parameter to pass that into the template. We see we've already got one here, which is the application name, which is a string? We create one similarly but we're going to change the type. The types of things that come from key vault need to be secure string rather than just string. So let's create that so we had to call it DB connection string and we're going to change the type from string to secure string that product is ready to go. The only thing we need to do now is reference it in our template so actually use that value so if we scroll down. We've got this application, setting section and we've got our DB connection string property ready to go. So we'll just set that to use that parameter we set up and that's all we need to do in the actual template itself is now ready to receive the connection string in a secure manner and to actually pass it in. We're going to look at our parameters file. We've already got one parameter in here, which is the application name. We want to pass in a second one which is our connection string, but instead of using a plain string here. We want to pass in the value from key vault so we're going to use a special syntax here for the parameter, which is different to the one we see here and will just paste that in. You see we're going to use the name of DB connection string, which matches up with what we've got in our template. And then we got this reference section so this is going to allow us to reference. The fact that we want to pull this value from Key vault. We specify that its key vault and then we give it an ID in this ID is the resource ID of the key vault we want the we want the data come from. And so we're passing that in in the full Azure Resource format with the subscription ID. The Resource Group. Name the type and then lastly. The name of the key vault we want the data come from. Down at the bottom we've got this section for secret name, which is the name of the secret in the key vault that we want to pass it in as this parameter. And that's all you have to do now when we run this on template belong with this parameter file. It's going to go over to key vault and fetch that secrets. As long as that secret exists will be able to pass that into our arm template at deploy time so let's see if that works. Back in the Azure portal, you can see we've got our web application here that we deployed earlier and at the moment, it doesn't have any application settings. This was deployed before we added in that DB connection strings parameter. So if we now go ahead and deploy the portal again using the updated template what we should see is that the parameter is passed through and we get an application setting in here, so let's go ahead and run the deployment. And that's not finished and you can see we've got our 2 parameters, which would pass 10, including the connection string? Which is secure string. So hopefully, the values been passed through if we go back to the portal. And they were fresh. And we can see. Now we've got a DB connection. String application, setting available and if we click on the value to have a look. We can see we've got our connection string in here. The value of which has come from Key vault, so that's really all there is to passing in values from key vault you can pass in as many as you like just by adding more parameters. You can even have them come from different key vaults just by changing the value of the vault name in that reference section. Hope you found that useful and I'll see you next time.