Add support for passing keyvault secrets through TemplateParameterObject

[gregjhogan]

It looks like when template parameters are assembled for trasmission only a template parameter file supports keyvault references. This means dynamic parameters and -TemplateParameterObject does not support keyvault references.

I would like support for referencing a keyvault secret through other means. Ideally it would probably not be through a special dynamic parameter or -TemplateParameterObject. I think ideally I could just put something in the template like [reference('Microsoft.KeyVault/vaults/{vault-name}/secrets/{secret-name}', '2015-06-01').value]to get the secret, allowing a vault/secret name to be passed as a normal parameter. Or perhaps this is already somehow possible, but it isn't well documented? Thanks!

[andreamaruccia]

+1

[xstof]

+1 but also would prefer powershell command line parameters, not just TemplateParameterObject

[baseif]

+1
Can't Reference a secret with dynamic id !!!!
The obvious problems with this way of doing things are:
Someone needs to type the cleartext password which means:
it needs to be known to anyone who provisions the environment and how do I feed it into an automated environment deployment? If I store the password in a parameter… ???????
"variables": {
"tenantPassword": {
"reference": {
"keyVault": {
"ID": "[concat(subscription().id,'/resourceGroups/',parameters('keyVaultResourceGroup'),'/providers/Microsoft.KeyVault/vaults/', parameters('VaultName'))]"
},
"secretName": "tenantPassword"
}
}
},

[AndyHerb]

+1 - I've just lost the best part of a day trying to work out how to do this, only to find this issue and surmise that it can't currently be done. It'd be nice if it were at least mentioned in the documentation that KeyVault references can only be done via a Parameter File

[drandall-microsoft]

+1

[maddieclayton]

Closing in favor of #3318 which is assigned to the correct team.