Managing secrets and configuration in your Infrastructure as Code (IaC) projects is crucial for maintaining security and compliance. In this post, I'll tell you how to use Azure Key Vault to securely handle secrets and configuration settings in your Bicep deployments. We'll walk through the steps to avoid exposing secrets in your outputs and ensure your deployment remains secure.
Warning outputs-should-not-contain-secrets: Outputs should not contain secrets. Found possible secret: function 'listConnectionStrings' [https://aka.ms/bicep/linter/outputs-should-not-contain-secrets]
The warning message you're seeing is a critical reminder that secrets, such as connection strings or API keys, should never be exposed in outputs. Outputs are often logged, displayed, or used in other resources, potentially leading to unintentional exposure of sensitive information. Instead, secrets should be securely stored and accessed using dedicated secret management tools like Azure Key Vault.
Azure Key Vault Creation
Creating a Key Vault is a critical step in securely managing your secrets. In our Bicep module, we define a Key Vault resource with the necessary properties and access policies. Here’s an example:
resource keyVault 'Microsoft.KeyVault/vaults@2024-04-01-preview' = {
name: keyVaultName
location: location
properties: {
enabledForDeployment: enabledForDeployment
enabledForDiskEncryption: enabledForDiskEncryption
enabledForTemplateDeployment: enabledForTemplateDeployment
enableRbacAuthorization: true
tenantId: tenantId
sku: {
name: skuName
family: 'A'
}
networkAcls: {
defaultAction: 'Allow'
bypass: 'AzureServices'
}
}
}
This snippet creates a Key Vault with a standard SKU.
Storing secrets during deployment
To securely manage secrets when deploying an Azure App Service connected to an Azure Cosmos DB, you can store the Cosmos DB connection string in Azure Key Vault. Simply add the following snippet to your Bicep template:
resource secret 'Microsoft.KeyVault/vaults/secrets@2024-04-01-preview' = {
parent: keyVault
name: secretName
properties: {
value: secretValue
}
}
getSecret-Function
The getSecret function is used to securely retrieve secrets stored in the Key Vault. This is an essential function for passing secrets to other resources without exposing them. Here’s an example:
resource keyVault 'Microsoft.KeyVault/vaults@2024-04-01-preview' existing = {
name: kvName
}
module functions 'functions.bicep' = {
name: 'functions-deployment'
params: {
COSMOSDB_CONNECTION_STRING: keyVault.getSecret('secretName')
}
}
In this snippet, the COSMOSDB_CONNECTION_STRING parameter for the Function App module is retrieved using the getSecret function, ensuring the secret is securely accessed.
Use secure parameters
For the getSecret function to work correctly, the parameter that receives the secret must be marked as secure. This ensures the parameter is handled securely throughout the deployment process. Here’s how to define a secure parameter:
@secure()
param COSMOSDB_CONNECTION_STRING string
Marking the parameter as secure prevents it from being exposed in logs or outputs.
By using Azure Key Vault in your Bicep deployments, you can securely manage secrets and configuration settings, avoiding the risks associated with exposing sensitive information. Following the steps outlined above will help you maintain a secure and compliant IaC environment.
Stay secure and happy coding!
Top comments (0)