I am trying to create a KeyVault reference in the AppConfig section of an Azure web app. The KeyVault reference references a secret which exists in a KeyVault which is part of a different resourcegroup and thus does not exist in the template.
according to the documentation of the reference() template function you should be able to reference a resource which is not part of the template as long as you provide the complete resourceId and the apiVersion.
But when I use that to reference the secret I keep getting a validation error which says:
Error: Code=InvalidTemplate; Message=Deployment template validation failed: 'The resource 'Microsoft.KeyVault/vaults//secrets/' is not defined in the template.
I followed this guide. for how to use KeyVault references in ARM templates.
Below code is a sample of a situation which does not work.
{
  "type": "Microsoft.Web/sites",
  "apiVersion": "2016-08-01",
  "name": "[variables('webAppName')]",
  "location": "[resourceGroup().location]",
  "properties": {
    "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('serverFarmName'))]",
    "siteConfig": {
      "alwaysOn": true,
      "appSettings": [
        {
          "name": "<secretName>",
          "value": "[concat('@Microsoft.KeyVault(SecretUri=', reference(variables('secretResourceId')).secretUriWithVersion, ')')]"
        },
      ]
    }
  },
  "identity": {
    "type": "SystemAssigned"
  },
  "dependsOn": [
    "[resourceId('Microsoft.Web/serverfarms', variables('serverFarmName'))]"
  ]
}
The variable is defined like this:
"variables": {
  "secretResourceId": "[resourceId(subscription().subscriptionId, parameters('keyVaultResourceGroup'), 'Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), 'secretName')]"
},
Is this something specific to references to KeyVault secrets?
As soon as I try the same but with a keyvault and secret inside the template it works perfectly fine.
Deploy key vaults and secrets To access a key vault during template deployment, set enabledForTemplateDeployment on the key vault to true . If you already have a key vault, make sure it allows template deployments. To create a new key vault and add a secret, use: Azure CLI.
In order to permanently remove the secret, we must have additional 'Purge' permission. We can give them to ourselves through the portal. Once we have the appropriate permissions, we can remove the secret. Only a deleted secret can be 'permanently deleted', for which the 'az keyvault secret purge' command is used.
The documentation for the reference function mentions that the second parameter to the function, apiVersion is required when the referring resource isn't provisioned within the same template.
So, instead of
reference(variables('secretResourceId')).secretUriWithVersion
something like this should work
reference(variables('secretResourceId'), '2018-02-14').secretUriWithVersion
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With