DEV Community

Ghassan Karwchan
Ghassan Karwchan

Posted on • Edited on

Use Azure Key Vault to retrieve secured parameters during Azure deployment.

You have an ARM template to deploy, and you need to pass secure parameters. Instead of storing secure values in the parameter file, you can just retrieve these values from Key Vault.

To be able to access the key vault by the resource manager you need to change access policy to allow "Azure Resource Manager for template deployment", as shown here.

Image description

Or you can do it from Powershell:

// to update an existing key vault
Set-AzKeyVaultAccessPolicy -VaultName MyVaultName -EnabledForTemplateDeployment

// to create a new key vault with this feature enabled
New-AzKeyVault `
  -VaultName MyVaultName `
  -resourceGroupName myresourcegroup `
  -Location centralus `
  -EnabledForTemplateDeployment
Enter fullscreen mode Exit fullscreen mode

How to use it?

in the deployment parameter file specify the location of the secured string to be the keyvault as follows:

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "location": {
            "value": "eastus"
        },

        "adminUsername": {
            "value": "companyAdmin"
        },
        "adminPassword": {
            "reference": {
        "keyVault": {
          "id": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.KeyVault/vaults/MyVaultName"
        },
        "secretName": <the name of the secret>
      }
        }
    }
}

Enter fullscreen mode Exit fullscreen mode

Permissions to run deployments:

The beauty of this feature is the user who is doing deployment doesn't need to have access to the secrets, even read access. Just need a special permission called deploy permission, or more specifically this permission

Microsoft.keyVault/Vaults/deploy/action
Enter fullscreen mode Exit fullscreen mode

To assign this permission to the user, it is easier if we create a custom role with this permission and then assign this role to any user want to deploy.

First we create a json to represent the definition of the custom role:

{
  "Name": "TemplateDeploymentForResourceManagerRole",
  "IsCustom": true,
  "Description": "Lets you deploy a resource manager template with the access to the secrets in the Key Vault.",
  "Actions": [
    "Microsoft.KeyVault/vaults/deploy/action"
  ],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/subscriptions/<your subscription id>"
  ]
}
Enter fullscreen mode Exit fullscreen mode

And then create the role and assign it to the user.

This powershell script does this:

New-AzRoleDefinition -InputFile "<path-to-role-file>"
New-AzRoleAssignment `
  -ResourceGroupName ExampleGroup `
  -RoleDefinitionName "TemplateDeploymentForResourceManagerRole" `
  -SignInName <user-principal-name>
Enter fullscreen mode Exit fullscreen mode

Image of Timescale

🚀 pgai Vectorizer: SQLAlchemy and LiteLLM Make Vector Search Simple

We built pgai Vectorizer to simplify embedding management for AI applications—without needing a separate database or complex infrastructure. Since launch, developers have created over 3,000 vectorizers on Timescale Cloud, with many more self-hosted.

Read more →

Top comments (0)

Sentry image

See why 4M developers consider Sentry, “not bad.”

Fixing code doesn’t have to be the worst part of your day. Learn how Sentry can help.

Learn more

👋 Kindness is contagious

Dive into an ocean of knowledge with this thought-provoking post, revered deeply within the supportive DEV Community. Developers of all levels are welcome to join and enhance our collective intelligence.

Saying a simple "thank you" can brighten someone's day. Share your gratitude in the comments below!

On DEV, sharing ideas eases our path and fortifies our community connections. Found this helpful? Sending a quick thanks to the author can be profoundly valued.

Okay