Coder Perfect

Azure Bicep makes advantage of key vaults from several resource groups.


I have a shared secret and a certificate in an Azure Key Vault (KV) that needs to be pulled into different deployments.

E.g. DEV, TEST, UAT, Production all have their own key vaults BUT need access to the shared KV for wild card ssl cert.

I’ve tried a few different ways, but they all have flaws. I’m doing something similar with KV in the deployment resource group, and it’s working fine.

Is it feasible to have this as a module and then use it? Something along these lines…


var kvResourceGroup = 'project-shared-rg'
var subscriptionId = subscription().id
var name = 'project-shared-kv'

resource project_shared_kv 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = {
  name: name
  scope: resourceGroup(subscriptionId, kvResourceGroup )

Then there’s something like template.bicep.

module shared_kv './sharedKeyVault/template.bicep' = {
 name: 'sharedKeyVault'

resource add_secrect 'Microsoft.KeyVault/vaults/secrets@2021-06-01-preview' = {
  name: '${}/mySecretKey'
  properties: {
    contentType: 'string'
    value: 'secretValue'
    attributes: {
      enabled: true

Asked by user3067684

Solution #1

If you need to target a different resourceGroup (and/or sub) than the rest of the deployment, you must use the module’s scope attribute to do so.

module shared_kv './sharedKeyVault/template.bicep' = {
  scope: resourceGroup(kvSubscription, kvResourceGroupName)
  name: 'sharedKeyVault'
  params: {
    subId: kvSubscription
    rg: kvResourceGroupName

The KV sub/rg should ideally be provided into the module rather than hardcoded (which you probably knew, but just in case…)

Answered by bmoore-msft

Post is based on