{"id":15,"date":"2021-05-03T08:57:00","date_gmt":"2021-05-03T08:57:00","guid":{"rendered":""},"modified":"2022-04-07T09:44:56","modified_gmt":"2022-04-07T07:44:56","slug":"secrets-in-arm-templates","status":"publish","type":"post","link":"http:\/\/panahy.nl\/index.php\/2021\/05\/03\/secrets-in-arm-templates\/","title":{"rendered":"Secrets in ARM templates"},"content":{"rendered":"<p><span style=\"background-color: white; color: #172b4d; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Noto Sans', Ubuntu, 'Droid Sans', 'Helvetica Neue', sans-serif; font-size: 16px; letter-spacing: -0.005em; white-space: pre-wrap;\">You may want to use a password in a template (let\u2019s say user password of a VM or admin password of a SQL-server). Putting the password in your template, which is located in your source code repository, is not according to security guidelines. <\/span><\/p>\n<p style=\"background-color: white; color: #172b4d; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Noto Sans', Ubuntu, 'Droid Sans', 'Helvetica Neue', sans-serif; font-size: 16px; letter-spacing: -0.005em; line-height: 1.714; margin: 0.75rem 0px 0px; padding: 0px; white-space: pre-wrap;\" data-renderer-start-pos=\"250\">One option to secure your strings would be to put them in KeyVault as a Secret and refer them from either paramters.json or in your main.json where it refer to a linked template.<\/p>\n<div style=\"-webkit-box-align: baseline; align-items: baseline; background-color: #deebff; border-radius: 3px; border: none; color: #172b4d; display: flex; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Noto Sans', Ubuntu, 'Droid Sans', 'Helvetica Neue', sans-serif; font-size: 16px; margin: 0.75rem 0px 0px; min-width: 48px; padding: 8px; white-space: pre-wrap; word-break: break-word;\" data-panel-type=\"info\">\n<p>&nbsp;<\/p>\n<div style=\"flex: 1 0 0px; margin: 1px 0px; min-width: 0px; padding: 0px;\">\n<p style=\"font-size: 1em; letter-spacing: -0.005em; line-height: 1.714; margin: 0px; padding: 0px;\" data-renderer-start-pos=\"431\">First you need to set <strong data-renderer-mark=\"true\">Azure Resource Manager for template deployment<\/strong> on checked within Access Policies of the keyvault where the template is refering to.<\/p>\n<\/div>\n<\/div>\n<h2 style=\"background-color: white; border-bottom-color: #cccccc; color: #172b4d; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Noto Sans', Ubuntu, 'Droid Sans', 'Helvetica Neue', sans-serif; font-size: 1.42857em; font-weight: 500; letter-spacing: -0.008em; line-height: 1.2; margin: 1.8em 0px 0px; padding: 0px; white-space: pre-wrap;\" data-renderer-start-pos=\"588\">Deploying Templates<button style=\"color: #42526e; cursor: pointer; display: inline; font-family: inherit; opacity: 0; outline: none; padding-left: 0px; padding-right: 0px; right: 0px; transform: translate(-8px, 0px); transition: opacity 0.2s ease 0s, transform 0.2s ease 0s; border: initial none initial;\"><\/button><\/h2>\n<p style=\"background-color: white; color: #172b4d; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Noto Sans', Ubuntu, 'Droid Sans', 'Helvetica Neue', sans-serif; font-size: 16px; letter-spacing: -0.005em; line-height: 1.714; margin: 0.75rem 0px 0px; padding: 0px; white-space: pre-wrap;\" data-renderer-start-pos=\"609\">You could start a deployment right from the portal by adding a resource of type <strong data-renderer-mark=\"true\">Template Deployment<\/strong>.<\/p>\n<p style=\"background-color: white; color: #172b4d; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Noto Sans', Ubuntu, 'Droid Sans', 'Helvetica Neue', sans-serif; font-size: 16px; letter-spacing: -0.005em; line-height: 1.714; margin: 0.75rem 0px 0px; padding: 0px; white-space: pre-wrap;\" data-renderer-start-pos=\"712\">Another option would be using az CLI:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">az deployment group create --resource-group newgrp1 --template-file main.json --parameters parameters.json<\/pre>\n<p style=\"background-color: white; color: #172b4d; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Noto Sans', Ubuntu, 'Droid Sans', 'Helvetica Neue', sans-serif; font-size: 16px; letter-spacing: -0.005em; line-height: 1.714; margin: 0.75rem 0px 0px; padding: 0px; white-space: pre-wrap;\" data-renderer-start-pos=\"859\">Or you could deploy it from your CD-pipeline locatedin Azure Devops.<\/p>\n<h2 style=\"background-color: white; border-bottom-color: #cccccc; color: #172b4d; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Noto Sans', Ubuntu, 'Droid Sans', 'Helvetica Neue', sans-serif; font-size: 1.42857em; font-weight: 500; letter-spacing: -0.008em; line-height: 1.2; margin: 1.8em 0px 0px; padding: 0px; white-space: pre-wrap;\" data-renderer-start-pos=\"929\">Using Secured Secrets in Parameters.json<button style=\"color: #42526e; cursor: pointer; display: inline; font-family: inherit; opacity: 0; outline: none; padding-left: 0px; padding-right: 0px; right: 0px; transform: translate(-8px, 0px); transition: opacity 0.2s ease 0s, transform 0.2s ease 0s; border: initial none initial;\"><\/button><\/h2>\n<p style=\"background-color: white; color: #172b4d; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Noto Sans', Ubuntu, 'Droid Sans', 'Helvetica Neue', sans-serif; font-size: 16px; letter-spacing: -0.005em; line-height: 1.714; margin: 0.75rem 0px 0px; padding: 0px; white-space: pre-wrap;\" data-renderer-start-pos=\"971\">The following example refers to a secret called <span style=\"-webkit-box-decoration-break: clone; background-color: rgba(9, 30, 66, 0.08); border-radius: 3px; border-style: none; box-shadow: rgba(9, 30, 66, 0.08) -4px 0px 0px 0px, rgba(9, 30, 66, 0.08) 4px 0px 0px 0px; font-family: SFMono-Medium, 'SF Mono', 'Segoe UI Mono', 'Roboto Mono', 'Ubuntu Mono', Menlo, Consolas, Courier, monospace; font-size: 13.712px; margin: 0px 4px; overflow: auto; padding: 2px 0px;\" data-renderer-mark=\"true\">vmpassword<\/span> within a keyvault called <span style=\"-webkit-box-decoration-break: clone; background-color: rgba(9, 30, 66, 0.08); border-radius: 3px; border-style: none; box-shadow: rgba(9, 30, 66, 0.08) -4px 0px 0px 0px, rgba(9, 30, 66, 0.08) 4px 0px 0px 0px; font-family: SFMono-Medium, 'SF Mono', 'Segoe UI Mono', 'Roboto Mono', 'Ubuntu Mono', Menlo, Consolas, Courier, monospace; font-size: 13.712px; margin: 0px 4px; overflow: auto; padding: 2px 0px;\" data-renderer-mark=\"true\">demovault10001<\/span> ie. located in <span style=\"-webkit-box-decoration-break: clone; background-color: rgba(9, 30, 66, 0.08); border-radius: 3px; border-style: none; box-shadow: rgba(9, 30, 66, 0.08) -4px 0px 0px 0px, rgba(9, 30, 66, 0.08) 4px 0px 0px 0px; font-family: SFMono-Medium, 'SF Mono', 'Segoe UI Mono', 'Roboto Mono', 'Ubuntu Mono', Menlo, Consolas, Courier, monospace; font-size: 13.712px; margin: 0px 4px; overflow: auto; padding: 2px 0px;\" data-renderer-mark=\"true\">newgrp1<\/span> resource group:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"json\">{\n    \"$schema\": \"https: \/\/schema.management.azure.com\/schemas\/2019-04-01\/deploymentParameters.json#\",\n    \"contentVersion\": \"1.0.0.0\",\n    \"parameters\": {\n        \"adminUsername\": {\n            \"value\": \"admin\"\n        },\n        \"adminPassword\": {\n            \"reference\": {\n                \"keyVault\": {\n                    \"id\": \"\/subscriptions\/baaa99b3-1d19-4c5e-90e1-39d55de5fc6e\/resourceGroups\/newgrp1\/providers\/Microsoft.KeyVault\/vaults\/demovault10001\"\n                },\n                \"secretName\": \"vmpassword\"\n            }\n        }\n    }\n}\n}\n<\/pre>\n<h2 style=\"background-color: white; border-bottom-color: #cccccc; color: #172b4d; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Noto Sans', Ubuntu, 'Droid Sans', 'Helvetica Neue', sans-serif; font-size: 1.42857em; font-weight: 500; letter-spacing: -0.008em; line-height: 1.2; margin: 1.8em 0px 0px; padding: 0px; white-space: pre-wrap;\" data-renderer-start-pos=\"1611\">Using Secured Secrets in main.json<button style=\"color: #42526e; cursor: pointer; display: inline; font-family: inherit; opacity: 0; outline: none; padding-left: 0px; padding-right: 0px; right: 0px; transform: translate(-8px, 0px); transition: opacity 0.2s ease 0s, transform 0.2s ease 0s; border: initial none initial;\"><\/button><\/h2>\n<p style=\"background-color: white; color: #172b4d; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Noto Sans', Ubuntu, 'Droid Sans', 'Helvetica Neue', sans-serif; font-size: 16px; letter-spacing: -0.005em; line-height: 1.714; margin: 0.75rem 0px 0px; padding: 0px; white-space: pre-wrap;\" data-renderer-start-pos=\"1647\">Similar to above example we can refer to a secured password by setting the keyvault id and the secret name. In the following example we use this to pass the adminPassword as a parameter to nested template.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"json\">&nbsp; {\n    \"$schema\": \"https:\/\/schema.management.azure.com\/schemas\/2019-04-01\/deploymentTemplate.json#\",\n    \"contentVersion\": \"1.0.0.0\",\n    \"parameters\": {\n        \"location\": {\n            \"type\": \"string\",\n            \"defaultValue\": \"[resourceGroup().location]\",\n            \"metadata\": {\n                \"description\": \"The location where the resources will be deployed.\"\n            }\n        },\n        \"vaultName\": {\n            \"type\": \"string\",\n            \"defaultValue\": \"appvault10001\"\n        },\n        \"secretName\": {\n            \"type\": \"string\",\n            \"defaultValue\": \"vmaccountpassword\"\n        },\n        \"vaultResourceGroupName\": {\n            \"type\": \"string\",\n            \"defaultValue\": \"newgrp1\"\n        },\n        \"vaultSubscription\": {\n            \"type\": \"string\",\n            \"defaultValue\": \"[subscription().subscriptionId]\",\n            \"metadata\": {\n                \"description\": \"The name of the subscription that contains the keyvault.\"\n            }\n        }\n    },\n    \"resources\": [{\n            \"type\": \"Microsoft.Resources\/deployments\",\n            \"apiVersion\": \"2018-05-01\",\n            \"name\": \"dynamicSecret\",\n            \"properties\": {\n                \"mode\": \"Incremental\",\n                \"expressionEvaluationOptions\": {\n                    \"scope\": \"inner\"\n                },\n                \"template\": {\n                    \"$schema\": \"https:\/\/schema.management.azure.com\/schemas\/2019-04-01\/deploymentTemplate.json#\",\n                    \"contentVersion\": \"1.0.0.0\",\n                    \"parameters\": {\n                        \"adminLogin\": {\n                            \"type\": \"string\"\n                        },\n                        \"adminPassword\": {\n                            \"type\": \"securestring\"\n                        },\n                        \"location\": {\n                            \"type\": \"string\"\n                        }\n                    },\n                    \"variables\": {\n                        \"sqlServerName\": \"[concat('sql-', uniqueString(resourceGroup().id, 'sql'))]\"\n                    },\n                    \"resources\": [{\n                            \"type\": \"Microsoft.Sql\/servers\",\n                            \"apiVersion\": \"2018-06-01-preview\",\n                            \"name\": \"[variables('sqlServerName')]\",\n                            \"location\": \"[parameters('location')]\",\n                            \"properties\": {\n                                \"administratorLogin\": \"[parameters('adminLogin')]\",\n                                \"administratorLoginPassword\": \"[parameters('adminPassword')]\"\n                            }\n                        }\n                    ],\n                    \"outputs\": {\n                        \"sqlFQDN\": {\n                            \"type\": \"string\",\n                            \"value\": \"[reference(variables('sqlServerName')).fullyQualifiedDomainName]\"\n                        }\n                    }\n                },\n                \"parameters\": {\n                    \"location\": {\n                        \"value\": \"[parameters('location')]\"\n                    },\n                    \"adminLogin\": {\n                        \"value\": \"demousr\"\n                    },\n                    \"adminPassword\": {\n                        \"reference\": {\n                            \"keyVault\": {\n                                \"id\": \"[resourceId(parameters('vaultSubscription'), parameters('vaultResourceGroupName'), 'Microsoft.KeyVault\/vaults', parameters('vaultName'))]\"\n                            },\n                            \"secretName\": \"[parameters('secretName')]\"\n                        }\n                    }\n                }\n            }\n        }\n    ],\n    \"outputs\": {}\n}\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>You may want to use a password in a template (let\u2019s say user password of a VM or admin password of a SQL-server). Putting the password in your template, which is located in your source code repository, is not according to security guidelines. One option to secure your strings would be to put them in &hellip; <a href=\"http:\/\/panahy.nl\/index.php\/2021\/05\/03\/secrets-in-arm-templates\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Secrets in ARM templates&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[12,4,115,15,13,14],"tags":[],"uagb_featured_image_src":{"full":false,"thumbnail":false,"medium":false,"medium_large":false,"large":false,"1536x1536":false,"2048x2048":false,"post-thumbnail":false},"uagb_author_info":{"display_name":"Pouya Panahy","author_link":"http:\/\/panahy.nl\/index.php\/author\/pouya\/"},"uagb_comment_info":0,"uagb_excerpt":"You may want to use a password in a template (let\u2019s say user password of a VM or admin password of a SQL-server). Putting the password in your template, which is located in your source code repository, is not according to security guidelines. One option to secure your strings would be to put them in&hellip;","_links":{"self":[{"href":"http:\/\/panahy.nl\/index.php\/wp-json\/wp\/v2\/posts\/15"}],"collection":[{"href":"http:\/\/panahy.nl\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/panahy.nl\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/panahy.nl\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/panahy.nl\/index.php\/wp-json\/wp\/v2\/comments?post=15"}],"version-history":[{"count":4,"href":"http:\/\/panahy.nl\/index.php\/wp-json\/wp\/v2\/posts\/15\/revisions"}],"predecessor-version":[{"id":245,"href":"http:\/\/panahy.nl\/index.php\/wp-json\/wp\/v2\/posts\/15\/revisions\/245"}],"wp:attachment":[{"href":"http:\/\/panahy.nl\/index.php\/wp-json\/wp\/v2\/media?parent=15"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/panahy.nl\/index.php\/wp-json\/wp\/v2\/categories?post=15"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/panahy.nl\/index.php\/wp-json\/wp\/v2\/tags?post=15"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}