I have ARM template which provision Data Lake, I would like to store its secret in key vault. I assume that I should use the output section in the ARM, JSON like this, but how should I store it in an already existing (!) Key Vault?
"outputs": {
"storageAccountName": {
"type": "string",
"value": "[variables('storageAccountName')]"
},
"storageAccountConnectionString": {
"type": "string",
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountResourceId'), variables('storageAccountApiVersion')).keys[0].value)]"
}
}
You can add Values to Key Vault using ARM template and also read from them in ARM template.
Add below resource for each key vault secret:
{
"type": "Microsoft.KeyVault/vaults/secrets",
"location": "[parameters('location')]",
"name": "[concat(parameters('keyVaultName'), '/', 'api', '--storageAccountConnectionString')]",
"apiVersion": "parameters('apiVersion')",
"dependsOn": [
"[variables('keyVaultResourceId')]",
"[variables('serviceBusResourceId')]"
],
"properties": {
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountResourceId'), variables('storageAccountApiVersion')).keys[0].value)]",
"contentType": "text/plain"
}
},
Read this secret after deployment through parameter value in ARM template:
"storageAccountConnectionString": {
"reference": {
"keyVault": {
"id": "/subscriptions/YOUR_SUBSCRIPTION_ID/resourceGroups/RESOURCE_GROUP/providers/Microsoft.KeyVault/vaults/KEY_VAULT_NAME"
},
"secretName": "api--storageAccountConnectionString"
}
},