How to use Key Vault for ARM Template Deployments
Something I always felt wasn't called out well is how to use Key Vault secrets with ARM Templates. The Azure Quickstart Repository on GitHub left me without a decent clue (and that's where I used to go first and foremost when I'd experiment with code). Here's what will show up in that repository (GEN-PASSWORD):
Now, the Quickstart repo on GitHub isn't trying to expose secrets, but to a brand new user of ARM Templates and Azure Resource Manager, I struggled to figure out how this worked. I literally racked my brain and stubbed all my toes.
Microsoft eventually created the ARM Template reference guide, which is usually VERY helpful and is a regular go-to for me. In this Key Vault reference instance, I was still a little bit baffled about how you set that up within your local ARM Template environment, as the reference guide is for the main deployment json.
Now wait a second! Let's take a step back here and level set: did you know the Key Vault secret reference is actually stored in the parameters file? Because up until I started asking, I certainly did not know that piece of information.
Here's what helped me: finding a dev who could break things down a bit for me and show me a few examples. Who did I consult internally at Microsoft? None other than Matt Canty, my trusted go-to for explaining development theories, explaining development concepts, and general making sense of ARM Templates. He's being featured on my YouTube channel at the moment, trying to help infrastructure people make sense of code.
Back to the topic at hand. So the Key Vault secret reference lives in the parameters file and you simply call upon the Key Vault parameter within the main deployment file. Here's where the parameter gets called upon within the main deployment file:
And here's how you format your Key Vault reference in the parameters file:
Talk about stumbling down and not knowing how to get back up. That's how you code a Key Vault reference into an ARM Template. You first need the ID, which is the subscription guid/id for the resource. Then you then need to reference the secret name. Who knew?
Now don't worry, the subscription I reference up above is a made up subscription GUID, as is the Key Vault name. Within each of my code examples, I never pull something that already exists, which might be more sensitive to showcase. Another quick and neat feature Matt showed me is how you can create random GUIDs via PowerShell. Check it:
This is why it pays dividends in partnering up with a dev that can help you out with conceptualizing what you want to do, explain how to do it, provide enough tools for you to build, and then you actually build! It's an amazing time to be working in tech as the lines between dev and infra are blurring more and more.
Also, if you want to see the code snippets I reference in the screen shots for this blog, I encourage you to check out my replica domain controller ARM Template GitHub repo. There's a lot of nifty things in that repo, including all the Tech Community blog posts I published on how to embrace what that template actually does for environments where identity is being extended into Azure.