Recommended approach for outputting/getting secrets

[jonas-lomholdt]

What is the recommended approach for outputting secrets?

I understand why it's not great to output secrets from a module (as described here https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/azure-resource-manager/bicep/linter-rule-outputs-should-not-contain-secrets.md#linter-rule---outputs-should-not-contain-secrets), but what is then the recommended approach to get eg. a connection string in your Bicep?

If I create a module that creates for example a Microsoft.ServiceBus/namespaces@2021-06-01-preview my naive approach would be to output the connection string using the listKeys() method. But as mentioned I'm not supposed to do that.

If I try to use listKeys() in my main.bicep file after creating the namespace eg. to add it to a key vault, something like:

Endpoint=sb://${serviceBus.outputs.name}.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=${listKeys('${serviceBus.outputs.id}/AuthorizationRules/RootManageSharedAccessKey', serviceBus.outputs.apiVersion).primaryKey}

Then I get this error:

This expression is being used in an argument of the function "listKeys", which requires a value that can be calculated at the start of the deployment. Properties of serviceBus which can be calculated at the start include "name".bicep(BCP181)

So can't I use modules for this? Or am I missing the point.

[jonas-lomholdt]

I had the same issue creating a Function App, but there I was able to configure it to have the function keys stored in a key vault.

[johnlokerse]

Hi @jonas-lomholdt,

The output is probably not allowed because it potentiallyly can leak secrets.

The way to retrieve secrets is to use the existing keyword "calling" your keyvault.

resource kv 'Microsoft.KeyVault/vaults@2019-09-01' existing = {
  name: kvName
  scope: resourceGroup(subscriptionId, kvResourceGroup )
}

If you have done this you can use the symbolic name kv and call the kv.getSecret('myKvKey') method. I would use this approach instead of outputting secrets.

[brwilkinson]

@Kor-Hal sounds good, apologies, It took a while to spot the issue.

[brwilkinson]

in case it's helpful, this is a main.bicep that only contains modules and can be orchestrated.

https://github.com/brwilkinson/AzureDeploymentFramework/blob/main/ADF/bicep/01-ALL-RG.bicep

[Kor-Hal]

No worries, I should have put a repro step to begin with.
As soon as I put the code snippets in, it was way more clear.

Also thanks for the link to your Github, it'll help showing people how to do stuff the "right" way :)

[brwilkinson]

@Kor-Hal well there are lots of different approaches, that scale in different ways.

Each has pluses and minuses.

Obviously having your own standards is important and adopting what works best for your needs. Either personal or within your team or organization.

There is a much different approach than they have taken, which I would also recommend to check out in the
CARML Modules https://github.com/Azure/ResourceModules

[Kor-Hal]

I'll take a look at all of this and see what's best :)
Thanks for all of those links.

[longli0]

FWIW, I recently also met this issue and tried many ways to use the modules and try to set secret with it at same time.
After struggling a while, I found that there are basically two ways to achieve this.

--------------- First ------------------
is what @Kor-Hal said, create a reference to the existing resource and use listKeys() and resourceId(), and then you can pass the key to key-vault module through secure() parameter.

resource storageAccountRef 'Microsoft.Storage/storageAccounts@2022-05-01' existing = {
  // DO NOT USE storageAccount.outputs.name 
  name: storageAccount.name
  scope: resourceGroup
}
var storageAccountKey = listKeys(resourceId(subscription().subscriptionId, resourceGroup.name, storageAccountRef.type, storageAccountRef.name), storageAccountRef.apiVersion).keys[0].value

But this requires

1. the resource name that is calculated at the start should be same with the name we output after the resource deployed. You can use namePrefix outside the module and pass it in at the same time to make sure
2. avoid using the outputs.name at all, so that you won't meet the The template function 'reference' is not expected at this location issue
3. create a reference, and we need to make sure it has same apiVersion with the one deployed in the module

--------------- Second ------------------
The idea is actually pretty simple, you just make storage-account, key-vault key-vault-secret all be modules. And put the key-vault-secret module not in main.bicep, not in key-vault.bicep, but in storage-account.bicep.

And then use accessor operator to access the key or connection string of it and set it as secure value. You also need to pass the keyVaultName as parameter to it to locate the key vault when setting the secrets.

// main.bicep
module keyVault 'key-vault.bicep' = {
  name: '${keyVaultNamePrefix}${location}'
  scope: resourceGroup
  params: {
    namePrefix: keyVaultNamePrefix
    location: location
  }
}

module storageAccount 'storage-account.bicep' = {
  name: '${storageAccountNamePrefix}${location}'
  scope: resourceGroup
  params: {
    namePrefix: storageAccountNamePrefix
    location: location
    keyVaultName: keyVault.name
  }
}

// key-vault-secret.bicep
param keyVaultName string
param secretName string
@secure()
param secretValue string

resource keyVaultSecret 'Microsoft.KeyVault/vaults/secrets@2022-07-01' = {
  name: '${keyVaultName}/${secretName}'
  properties: {
    ...
    value: secretValue
  }
}

// storage-account.bicep
param location string = resourceGroup().location
param namePrefix string
param keyVaultName string

var connectionStringName = 'storage-account-connection-string'

resource storageAccount 'Microsoft.Storage/storageAccounts@2022-05-01' = {
  name: '${namePrefix}${location}'
  location: location
  properties: {
   ...
  }
}

// THIS IS THE MOST IMPORTANT STEP
module storageConnectionString 'key-vault-secret.bicep' = {
  name: connectionStringName
  params: {
    keyVaultName: keyVaultName
    secretName: connectionStringName
    secretValue: 'DefaultEndpointsProtocol=https;AccountName=${storageAccount.name};AccountKey=${storageAccount.listKeys().keys[0].value};EndpointSuffix=${environment().suffixes.storage}'
  }
}

[justinpenguin45]

this actually doesnt work unless the storage account already exists