Creating and Referencing Azure Key Vault Secrets in Bicep

Now that Bicep has parity with ARM Templates and is supported for production use, I've been starting to use it in my projects! 💪

In this post, I'm going to show how to dynamically create some Azure Key Vault secrets with Bicep, then reference those secrets during deployment of an App Service.

I have a .NET App that connects to App Insights, Azure SQL, and a Storage Account, but one thing on my list to do has been to integrate an Azure Key Vault for securing the connection strings.

I had a bit of a battle with this one, but here's how I did it...

First, I created a Key Vault module and output the name and id:

I then added a secrets resource to the SQL and Storage modules, outputting the secretUriWithVersion property (storageSecret example below):

In the App Service module, I made sure to add a System-Assigned identity to the app, then assigned it the Key Vault Secret User built-in role so it could read secret contents:

I then referenced the secrets as below (storageSecret example below):


RBAC for the win! 😀 This is a much better approach than using Access Policies, and I highly recommend using them going forward if you can.