Creating and Referencing Azure Key Vault Secrets in Bicep

Paul McDonald

Apr 21, 2021 • 1 min read

Now that Bicep has parity with ARM Templates and is supported for production use, I've been starting to use it in my projects! 💪

In this post, I'm going to show how to dynamically create some Azure Key Vault secrets with Bicep, then reference those secrets during deployment of an App Service.

I have a .NET App that connects to App Insights, Azure SQL, and a Storage Account, but one thing on my list to do has been to integrate an Azure Key Vault for securing the connection strings.

I had a bit of a battle with this one, but here's how I did it...

First, I created a Key Vault module and output the name and id:

I then added a secrets resource to the SQL and Storage modules, outputting the secretUriWithVersion property (storageSecret example below):

In the App Service module, I made sure to add a System-Assigned identity to the app, then assigned it the Key Vault Secret User built-in role so it could read secret contents:

I then referenced the secrets as below (storageSecret example below):

@Microsoft.KeyVault(SecretUri=${storageSecretUri})

RBAC for the win! 😀 This is a much better approach than using Access Policies, and I highly recommend using them going forward if you can.