Get URL & ID Of Key Vault And KV Secret In Azure Bicep - With Examples
In this short post, we discuss how to access URL and ID properties of a key vault or a key vault secret and then optionally return it in the template outputs.
URL and ID of a key vault or a secret can be retrieved by accessing the corresponding properties (id, vaultUri, secretUri) of the runtime state object of the resource. This can be done for both a new resource as well as an existing one.
All use cases are accompanied with code samples and explanations including links for more information.
Contents:
Overview
This post is divided into two main sections, the first one is dedicated to retrieving identifiers of a key vault resource, and the second one is for getting identifiers of a key vault secret.
In general, the approach is straightforward, first, create a symbolic name of the resource (either vault or secret), and then use it to retrieve desired values by accessing the appropriate fields.
Navigate to the section you are interested in and continue reading!
Key Vault
While a key vault resource has many different properties and fields, most often we want to retrieve key vault URI and ID to return them in the Azure Bicep template or module outputs.
After getting the key vault URL or ID from the template or module deployment, we can pass these identifiers to other resources as configuration parameters if needed.
Get Key Vault URL or ID
Key vault resource schema Microsoft.KeyVault/vaults contains the fields that we are looking for: id and vaultUri. To retrieve the values of these properties, we need to create a symbolic name for the key vault resource we are interested in.
The example below shows how to get key vault URI and ID for an existing resource, and the same approach is used for a new vault which is deployed in the same template.
To learn more about different ways of creating a symbolic name for a resource, please refer to Reference New Or Existing Resource In Azure Bicep.
// ========== keyvault-url-id.bicep ==========
param keyVaultName string = 'kv-contoso'
// Creating a symbolic name for an existing key vault
// Alternatively, this could be a full KV definition
resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' existing = {
name: keyVaultName
}
// Referencing Key Vault ID
output keyVaultId string = keyVault.id
// Referencing Key Vault URL
output keyVaultUri string = keyVault.properties.vaultUri
As a result, we will get something similar to the following output:
- keyVaultId:
/subscriptions/353f37fe-d38d-44d5-8a3f-2b4e6855e12a/resourceGroups/rg-contoso/providers/Microsoft.KeyVault/vaults/kv-contoso - keyVaultUri:
https://kv-contoso.vault.azure.net/
KV Secret
Getting URL and ID of a key vault secret is quite straightforward as well because the resource schema already contains properties we are looking for: id, secretUri, and secretUriWithVersion.
To access these fields, the only thing we need to do is to have a reference to the corresponding key vault secret resource, and this reference is also called a symbolic name.
In the following code samples, we illustrate two possible ways to reference a key vault secret. However, in your use case it might be different depending on whether the key vault and the secret already exist or the way the secret is defined.
Read more about the options how to reference child resources in the following posts:
Get Key Vault Secret URL
In this section, we discuss how to deploy a key vault with a secret and then return the URL of the secret in the template outputs. Note that nested resource accessor “::” operator is used to reference the secret inside of the key vault.
The output should be something like the following:
- secretUri:
https://kv-contoso.vault.azure.net/secrets/mySecret - secretUriWithVersion:
https://kv-contoso.vault.azure.net/secrets/mySecret/6762a563001a4415bfdd04aeaa637a17
// ========== keyvault-secret-uri.bicep ==========
param keyVaultName string = 'kv-contoso'
param secretName string = 'mySecret'
// Declaring a key vault resource
resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' = {
name: keyVaultName
location: resourceGroup().location
properties: {
sku: {
family: 'A'
name: 'standard'
}
tenantId: subscription().tenantId
accessPolicies: []
}
// Creating a secret
resource secret 'secrets' = {
name: secretName
properties: {
value: 'mySecretValue'
}
}
}
// Referencing Secret URI
output secretUri string = keyVault::secret.properties.secretUri
// Referencing Secret URI with version
output secretUriWithVersion string = keyVault::secret.properties.secretUriWithVersion
Get Key Vault Secret ID
Here, we retrieve ID of an existing secret simply by creating a symbolic name for the secret and then using it to output the property we need.
The output will include a full identifier of the secret resource:
- secretId:
/subscriptions/353f37fe-d38d-44d5-8a3f-2b4e6855e12a/resourceGroups/rg-contoso/providers/Microsoft.KeyVault/vaults/kv-contoso/secrets/mySecret
// ========== keyvault-secret-id.bicep ==========
param keyVaultName string = 'kv-contoso'
param secretName string = 'mySecret'
// Creating a symbolic name for an existing key vault secret
resource secret 'Microsoft.KeyVault/vaults/secrets@2019-09-01' existing = {
name: '${keyVaultName}/${secretName}'
}
// Referencing Secret ID
output secretId string = secret.id
Related Posts
- Key Vault & Secrets Management With Azure Bicep - Create, Reference, Output Examples
- Using Key Vault Secrets As Secure Parameters In Azure Bicep - Template & Module Inputs
- Parameters In Azure Bicep - Ultimate Guide With Examples
- Variables In Azure Bicep - From Basics To Advanced
- Reference New Or Existing Resource In Azure Bicep
- Learn Modules In Azure Bicep - Basics To Advanced, How It Works, Nested Modules, Outputs, Scopes
- Child Resources In Azure Bicep - 3 Ways To Declare, Loops, Conditions
- 5 Ways To Deploy Bicep File With Parameters - Azure DevOps, PowerShell, CLI, Portal, Cloud Shell