How can I get a certifcate's thumbprint in an ARM template, where the certificate is stored in Azure key vault? The reason being I would like to dynamically get the certificate thumbprint by simply providing the name rather than hard-coding the thumbprint in the parameters file. I know with secrets, you are able to get the latest URl by using secretUriWithVersion, but is there an equivalent for certificate thumbprints?
Asked
Active
Viewed 2,026 times
4
1 Answers
0
It depends a bit on the resource... some resources will want the thumbprint as a "secret" some as a "cert" in keyvault... if the resource uses a secret you can use this approach:
You can pull secret info from a vault during deployment, by not keys.
That help?
bmoore-msft
- 8,376
- 20
- 22
-
In my case, it is for the service fabric cluster. I am able to avoid providing the certificual URL in the parameters by using ```secretUriWithVersion``` but for the certificate thumbprint, it is currently hard-coded in the parameters file. – May 06 '20 at 16:44
-
Is it this property: https://github.com/Azure/azure-quickstart-templates/blob/master/service-fabric-secure-cluster-5-node-1-nodetype/azuredeploy.json#L434 ? That you could put into a value as per the link above... or if that's not it can you point me to a sample? – bmoore-msft May 11 '20 at 20:51
-
Yes that's the one. Sorry if I'm misunderstanding, but looking at that URL again, is the suggestion to put the certificate thumbprint as its own secret and then retrieve that secret? When we renew the certificate, the thumbprint would change, and we would have to manually update that secret. If this is the suggestion, we want to avoid doing this. – May 12 '20 at 21:11
-
yes, that's the idea... if you want to 1) store your thumbprint somewhere and 2) keep that store up to date with changes - I don't know of any solution that won't require you to update it when it changes. – bmoore-msft May 13 '20 at 22:51
-
This is really a hack rather than a solution. I'm sure many people would love if there were a feature for this. As a developer, I should either be able to use the secret URL for the certificate and provide a parameter to specify that the secret is really a certificate and then use some kind of ```thumbprint``` property, or I should be able to use the certificate URL and simply reference it to use a ```thumbprint``` property. We already have ```secretUriWithVersion``` to get the latest version of any secret, so we should be able to do this with certificates and their properties also. – May 14 '20 at 06:29
-
I think that's more of a question for Service Fabric than the template... sounds like in your scenario you want the resource to poll for changes, I'm not sure if SF will do that. Is the question more: How do I get an SF Cluster to automatically update settings from a vault? – bmoore-msft May 19 '20 at 18:27
-
I would say it's not a question for Service Fabric. Different Azure resources need to access the certificate thumbprint in ARM templates, such as App Services. There is the ```WEBSITE_LOAD_CERTIFICATES``` property (at least for Azure Functions), which can be a list of certificate thumbprints or a single certificate thumbprint. This allows finding this certificate with the given thumbprint in the certificate store. Currently there is no way to dynamically pass this. Please consider a feature to access a certificate thumbprint as a property for certificates in Azure key vault. – May 27 '20 at 21:32
-
Please add the feedback here: https://feedback.azure.com/forums/34192--general-feedback – bmoore-msft May 28 '20 at 19:55