Coder Perfect

In Bicep, how can I reference an existing certificate resource?


I have a certificate in Key Vault that I’d like to use as a reference in my bicep template.

resource prodCertificate 'Microsoft.Web/certificates@2020-12-01' existing = {
  name: 'my-custom-certificate-name/123809dsfj2jf09j32123123'
  scope: resourceGroup('certificateResourceGroup')

The current bicep template will run in the appServiceResourceGroup resource group, while the key vault will run in the certificateResourceGroup resource group.

Bicep complains because there should not be a slash in the name, therefore the above doesn’t function.

I receive an error if I only type in my-custom-certificate-name.

  "code": "DeploymentFailed",
  "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see for usage details.",
  "details": [
      "code": "ResourceNotFound",
      "message": "The Resource 'Microsoft.Web/certificates/my-custom-certificate-name' under resource group 'certificateResourceGroup' was not found. For more details please go to"

Asked by SamIAm

Solution #1

I tested the same scenario as you, namely, importing a certificate from a resource group’s keyvault to an App service in another resource group.

I did it with the following code:

param name string
param location string = resourceGroup().location
param keyvaultid string
param certificatesecretname string
param pass string
param exisitingappplanresourceid string
resource prodCertificate 'Microsoft.Web/certificates@2021-02-01' = {
  name: name
  location: location
  properties: {
    keyVaultId: keyvaultid
    keyVaultSecretName: certificatesecretname
    password: pass
    serverFarmId: exisitingappplanresourceid


Existing Keyvault Certificate:

Deployments and parameters:

App service for Azure portal:

To access the keyvault, ensure sure you have Microsoft.Web Resource Provider installed. You may add the below resource provider to the access policy by navigating to Keyvault>>access policies>>add an accesspolicy and entering abfa0a7c-a6b6-4736-8310-5855508787cd in the service principal search dialog box.

You may do something like this to add the certificate from keyvault and then build a ssl binding as well:

@description('Existing App Service Plan resource id that contains the App Service being updated')
param existingServerFarmId string

@description('User friendly certificate resource name')
param certificateName string

@description('Existing Key Vault resource Id with an access policy to allow Microsoft.Web RP to read Key Vault secrets (Checkout for more information)')
param existingKeyVaultId string

@description('Key Vault Secret that contains a PFX certificate')
param existingKeyVaultSecretName string

@description('Existing App name to use for creating SSL binding. This App should have the hostname assigned as a custom domain')
param existingWebAppName string

@description('Custom hostname for creating SSL binding. This hostname should already be assigned to the Web App')
param hostname string

@description('Location for all resources.')
param location string = resourceGroup().location

resource certificateName_resource 'Microsoft.Web/certificates@2019-08-01' = {
  name: certificateName
  location: location
  properties: {
    keyVaultId: existingKeyVaultId
    keyVaultSecretName: existingKeyVaultSecretName
    serverFarmId: existingServerFarmId

resource existingWebAppName_resource 'Microsoft.Web/sites@2019-08-01' = {
  name: existingWebAppName
  location: location
  properties: {
    name: existingWebAppName
    hostNameSslStates: [
        name: hostname
        sslState: 'SniEnabled'
        toUpdate: true


Bicep & ARM template reference | Microsoft Docs | Microsoft.Web/certificates

Answered by AnsumanBal-MT

Post is based on