Problem
I looked into it but couldn’t come up with a viable or useful answer.
I’m using Bicep to set up a storage account. This works good, but I’m wanting to get the storage account connection string and store it in an Azure key vault as a secret.
I’ve got the following code so far.
param tenantCode array = [
'dsec'
]
param storageAccounts string = 'sthrideveur'
resource storage_Accounts 'Microsoft.Storage/storageAccounts@2021-06-01' = [ for tenantcode in tenantCode :{
name: 'stnmeur${tenantcode}'
location: 'westeurope'
sku: {
name: 'Standard_RAGRS'
}
kind: 'StorageV2'
properties: {
allowCrossTenantReplication: true
minimumTlsVersion: 'TLS1_2'
allowBlobPublicAccess: false
allowSharedKeyAccess: true
networkAcls: {
bypass: 'AzureServices'
virtualNetworkRules: []
ipRules: []
defaultAction: 'Allow'
}
supportsHttpsTrafficOnly: true
encryption: {
services: {
file: {
keyType: 'Account'
enabled: true
}
blob: {
keyType: 'Account'
enabled: true
}
}
keySource: 'Microsoft.Storage'
}
accessTier: 'Cool'
}
}]
resource devkeyvault 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = {
name : 'keyvayltname'
}
I discovered this code, but it comes with no explanation and does not function for me.
resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' existing = {
name: last(split(keyVaultId, '/'))
resource storageSecret 'secrets' = {
name: 'StorageAccount-ConnectionString'
properties: {
value: 'DefaultEndpointsProtocol=https;AccountName=${storageAccountName};AccountKey=${listKeys(storageAccount.id, storageAccount.apiVersion).keys[1].value}'
}
}
}
If this is possible, could someone perhaps explain how to do it? Thank you so much for your assistance.
UPDATE:
As a result, I made the following changes to my code:
param tenantCode array = [
'dsec'
]
var storageName = [for item in tenantCode :{
name: string('sthrideveur${item}')
}]
var connectionStringSecretName = [for n in storageName :{
name: '${n.name}'
}]
resource storage_Accounts 'Microsoft.Storage/storageAccounts@2021-06-01' = [ for name in storageName :{
name: '${name.name}'
location: 'westeurope'
sku: {
name: 'Standard_RAGRS'
}
kind: 'StorageV2'
properties: {
allowCrossTenantReplication: true
minimumTlsVersion: 'TLS1_2'
allowBlobPublicAccess: false
allowSharedKeyAccess: true
networkAcls: {
bypass: 'AzureServices'
virtualNetworkRules: []
ipRules: []
defaultAction: 'Allow'
}
supportsHttpsTrafficOnly: true
encryption: {
services: {
file: {
keyType: 'Account'
enabled: true
}
blob: {
keyType: 'Account'
enabled: true
}
}
keySource: 'Microsoft.Storage'
}
accessTier: 'Cool'
}
}]
resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' existing = {
name : 'XXXX'
}
// Store the connection string in KV if specified
resource storageAccountConnectionString 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = {
name: '${connectionStringSecretName[0].name}'
properties: {
value: 'DefaultEndpointsProtocol=https;AccountName=${storage_Accounts[0]};AccountKey=${listKeys('${storage_Accounts[0].id}', '${storage_Accounts[0].apiVersion}').keys[0].value};EndpointSuffix=${environment().suffixes.storage}'
}
}
However, when I execute the template, I receive the following problem.
InvalidTemplate - Deployment template validation failed: 'The template resource 'sthrideveurdsec' for type 'Microsoft.KeyVault/vaults/secrets' at line '1' and column '1378' has incorrect segment lengths. A nested resource type must have identical number of segments as its resource name. A root resource type must have segment length one greater than its resource name. Please see https://aka.ms/arm-template/#resources for usage details.'.
I notice that the name is accurate in the error, but I’m not sure what I’m doing wrong with the segment length.
Asked by Nayden Van
Solution #1
Make sure the Azure Resource Manager for template deployment option is enabled in the key vault:
If networking is enabled on key vault, make sure the Allow trusted Microsoft services to circumvent this firewall checkbox is checked:
The person or service principal who deploys the bicep file must also have access to the key vault to create secrets.
The storage connectionstring can then be added as follows:
param storageAccountName string
...
param keyVaultName string
param connectionStringSecretName string = '${storageAccountName}-connectionstring'
// Create storage account
resource storageAccount 'Microsoft.Storage/storageAccounts@2019-06-01' = {
name: storageAccountName
...
}
// Get reference to KV
resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' existing = {
name: keyVaultName
}
// Store the connection string in KV if specified
resource storageAccountConnectionString 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = {
name: '${keyVault.name}/${connectionStringSecretName}'
properties: {
value: 'DefaultEndpointsProtocol=https;AccountName=${storageAccount.name};AccountKey=${listKeys(storageAccount.id, storageAccount.apiVersion).keys[0].value};EndpointSuffix=${environment().suffixes.storage}'
}
}
You could do something like this if you’re using an array:
param storageAccountNames array
...
param keyVaultName string
// Create storage accounts
resource storageAccounts 'Microsoft.Storage/storageAccounts@2019-06-01' = [ for name in storageAccountNames :{
name: name
...
}]
// Get reference to KV
resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' existing = {
name: keyVaultName
}
// Store the connectionstrings in KV if specified
resource storageAccountConnectionStrings 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = [ for (name, i) in storageAccountNames :{
name: '${keyVault.name}/${name}-connectionstring'
properties: {
value: 'DefaultEndpointsProtocol=https;AccountName=${storageAccounts[i].name};AccountKey=${listKeys(storageAccounts[i].id, storageAccounts[i].apiVersion).keys[0].value};EndpointSuffix=${environment().suffixes.storage}'
}
}]
Answered by Thomas
Post is based on https://stackoverflow.com/questions/69651039/bicep-pass-storage-account-connection-string-to-key-vault-secret