Menu
Creating an ARM template that needs to install an SSL certificate that is located inside of an Azure key vault. If I specify the certificate with the thumbprint, it works fine:
https://contoso.vault.azure.net/secrets/web01-test-contoso-com/968bf207451149d3aceb390065af9d3a
But as a certificate is on a ticking clock, this hard-codes a dependency that can go stale into the ARM template. I would rather just specify the latest version (like it shows in the portal). However, I haven't found any documentation that shows how to do that or even mentions if it is possible.
I ran a couple of experiments using:
https://contoso.vault.azure.net/secrets/web01-test-contoso-com
and
https://contoso.vault.azure.net/secrets/web01-test-contoso-com/latest
But in both cases, I got the same error message:
message '{
"error": {
"code": "InvalidParameter",
"message": "https://contoso.vault.azure.net/secrets/web01-test-contoso-com/latest is
not a valid versioned Key Vault Secret URL. It should be in the format
https://<vaultEndpoint>/secrets/<secretName>/<secretVersion>.",
"target": "certificateUrl"
}
}'
So my question is: How can I reference the certificate in a way that I get the latest version?
For clarity, I am using the URL in the secrets section of the ARM template for a VM as follows, which gets the certificate from the Azure key vault and installs it into the Windows certificate store.
"secrets": [
{
"sourceVault": {
"id": "[resourceId(parameters('keyVaultResourceGroupName'), 'Microsoft.KeyVault/vaults', parameters('keyVaultName'))]"
},
"vaultCertificates": [
{
"certificateUrl": "https://contoso.vault.azure.net/secrets/web01-test-contoso-com/latest",
"certificateStore": "My"
}
]
}
]
NOTE: I would find it odd that you can specify the latest version of an OS to install, but you cannot specify to install the latest version of a certificate.
821
On the Key Vault properties pages, select Certificates. Click on Generate/Import. On the Create a certificate screen choose the following values: Method of Certificate Creation: Generate.
Deploy key vaults and secrets To access a key vault during template deployment, set enabledForTemplateDeployment on the key vault to true . If you already have a key vault, make sure it allows template deployments. To create a new key vault and add a secret, use: Azure CLI.
You can export stored certificates in Azure Key Vault by using the Azure CLI, Azure PowerShell, or the Azure portal. Only require a certificate password when you import the certificate in the key vault. Key Vault doesn't save the associated password. When you export the certificate, the password is blank.
It is possible, contrary to what accepted answer says . Define variable with secret's resource id like this, for example:
"mySecretResourceId": "[concat(resourceGroup().id,'/providers/Microsoft.KeyVault/vaults/', variables('keyVaultName'), '/secrets/', 'my-secret-name')]"
then you can use it in your template as following:
"certificateUrl": "[reference(variables('mySecretResourceId'), '2018-02-14').secretUriWithVersion]"
There is no direct\easy way of doing this. Key Vault isnt exactly arm template friendly.
As juunas proposed you can write a script or use custom script extension to pull that data directly from key vault using managed service identity, for example.
38
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
