How to retrieve keyvault secret in a module bicep

[Dnelre]

Our keyvault's and vm's needs to be created in the same bicep deployment template via module. A secret generated in bicep must be used to set the password for local admin for the VM and put it in a keyvault.

We got so far as creating the bellow template, but it fails with "The specified KeyVault '(keyvault id)’ could not be found" :

module kv './modules/keyvault.bicep' = {     
  name: '${deployment().name}-kv'     
  scope: rg     
  params: {     
    keyvaultName: kvName    
    createLocalAdmin: true     
  }     
} 

resource kvRef 'Microsoft.KeyVault/vaults@2019-09-01' existing = {     
  name: kvName     
  scope: rg     
}      

module vm './modules/vm.bicep' = {     
  name: '${deployment().name}-vm-${vm.hostShortName}'     
  scope: rg     
  params: {     
    adminPassword: kvRef.getSecret('localadmin')     
    adminUsername: 'localadmin'     
  }     
  dependsOn: [     
    network     
    kv     
  ]     
} 

In ARM we could use:

 "parameters": {
            "adminPassword": {
                "reference": {
                    "keyVault": {
                        "id": "<keyvault-id>"
                     },
                    "secretName": "localAdmin"
               }
            }
     }

This does not seem to work anymore in bicep.

Any suggestions how we can get the secret from the keyvault?

[brwilkinson]

How are you generating the password in this case?

Are you able to share your repo/sample code?

As a general rule, I would suggest that: Service Principals, Certificates, Passwords/Secrets should all be generated outside of a Resource Deployment template. Even User Assigned Identities Role assignments should likely be deployed with an alternate principal than the one doing the Resource deployment.

[Dnelre]

Thank you for the reply.

We thought about creating the secret in the main Bicep so we could pass the secret to VM creation module and keyvault module with @secret() decorator on parameters, but from our understanding, we would need to pass the secret as plain text to the keyvault module since secret value creaion expects a string and this would perhaps create a security risk.

If I create the secret value outside resource creation, how would I securly pass the secret to when we create the secret value in bicep?

Bellow is an example of how the keyvault bicep module file looks like. The secret value is generated when the secret value is created.

param keyvaultName string
param createLocalAmin bool 

var roletag string = 'Security'

resource keyvault 'Microsoft.KeyVault/vaults@2019-09-01' = {
  name: keyvaultName
  location: resourceGroup().location
  tags: {
    Role: roletag
  }
  properties: {
    enableSoftDelete: true
    enableRbacAuthorization: true
    tenantId: subscription().tenantId
    accessPolicies: []
    sku: {
      name: sku
      family: 'A'
    }
    networkAcls: {
      value: {
        defaultAction: 'Allow'
        bypass: 'AzureServices'
      }
    }
  }
}

...
resource localadmin 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = if(createLocalAdmin) {
  parent: keyvault
  name: 'localadmin'
  properties: {
    value: 'autogenerated-${uniqueString(deployment().name)}!'
    contentType: 'password for localadmin'
  }
}

[Dnelre]

Found a sollution inspired by your feedback. The solution used is generating a secret before bicep deployment and passing the secret via parameter in main bicep. The keyvault and vm bicep modules also has the same parameter using the same value.

[brwilkinson]

I wasn't sure if the solution that you came up with below excluded the generation of the password itself, so I wanted to mention this here anyway... Hopefully you already came up with the alternative solution that you marked as the answer below.

• Although this can functionally work, the password is deterministic, so It's possible for anyone to figure out what your password is, so this is not secure.

You may want to consider an alternative. Perhaps look into the Azure AD Login.

https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows

https://github.com/brwilkinson/AzureDeploymentFramework/blob/main/ADF/bicep/VM-VM.bicep#L399

[Dnelre]

The solution used is generating a secret before bicep deployment and passing the secret via parameter in main bicep.

@secure()
param adminPassword 

module kv './modules/keyvault.bicep' = {     
  name: '${deployment().name}-kv'     
  scope: rg     
  params: {     
    keyvaultName: kvName    
    adminPassword: adminPassword    
  }     
}  

module vm './modules/vm.bicep' = {     
  name: '${deployment().name}-vm-${vm.hostShortName}'     
  scope: rg     
  params: {     
    adminPassword: adminPassword 
    adminUsername: 'localadmin'     
  }     
  dependsOn: [     
    network     
    kv     
  ]     
} 

[brwilkinson]

sounds good, passing in like this would allow the user to link it to their own keyvault and securely pass it in OR else just supply a value at deployment time. So long as all of the parameters are @secure() including in the kv module, then this can be secure.

There could be 1 other take on this solution.

1. Either ask the person deploying for a secret, so they can either link it to a kv in the param file OR pass in the securestring
2. Assume the person deploying will always deploy via a KV of their own, ask them for the kvName, with optional rgName and secretName

param secretName string = 'localadmin'
param kvName string
param kvResourceGroupName string = resourceGroup().name

resource pwkv 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = {
  name: kvName
  scope: resourceGroup(kvResourceGroupName)
}

module kv './modules/keyvault.bicep' = {
  name: '${deployment().name}-kv'
  scope: rg
  params: {
    keyvaultName: kvName
    adminPassword: pwkv.getSecret(secretName)
  }
}

module vm './modules/vm.bicep' = {
  name: '${deployment().name}-vm-${vm.hostShortName}'
  scope: rg
  params: {
    adminPassword: pwkv.getSecret(secretName)
    adminUsername: 'localadmin'
  }
  dependsOn: [
    network
    kv
  ]
}

[moha999]

would be great to see the VM bicep file and especially how did you list the adminPassword parameter there!

[brwilkinson]

@moha999

• https://github.com/brwilkinson/AzureDeploymentFramework/blob/main/ADF/bicep/VM.bicep#L110
  • https://github.com/brwilkinson/AzureDeploymentFramework/blob/main/ADF/bicep/VM-VM.bicep#L10

[moha999]

Hi @brwilkinson, I'm facing an issue with my implementation which is as follow:

• I created a kv.bicep file which contains a (ps1 password generator).that generate the password and put it to the Secret and then save it in the kv resource.
• another file that contains the vm.bicep.
• I also created a main.bicep and added vm module and kv module, but when I try to execute the main file it always shows an error that the kv is not exist.
• as I would understand it, that the main file should create the kv and the vm resources? but the case here that it assume that the kv is already exist!
• However, the main file can create and deploy the vm.bicep if I comment the kv.bicp.

I would appreciate and hints to resolve this matter.