0

I'm using Key Vault references to set secrets from key vault in app settings of App Service via ARM template as shown below:


{
  "variables": {
    "secretA": "secretA",
    "secretB": "secretB"
  },
  "resources": [
    {
      "apiVersion": "",
      "type": "Microsoft.Web/sites",
      "name": "",
      "location": "",
      "kind": "",
      "properties": {
        "serverFarmId": "",
        "clientAffinityEnabled": false,        
        "siteConfig": {},
        "httpsOnly": true        
      },
      "identity": {
        "type": "SystemAssigned"
      },
      "resources": [
        {
            "apiVersion": "2018-02-01",
            "name": "appsettings",
            "type": "config",
            "dependsOn": [
                "[resourceId('Microsoft.Web/sites', parameters('name'))]",
                "[resourceId('Microsoft.KeyVault/vaults/', parameters('keyVaultName'))]",
                "[resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), variables('secretA'))]",
                "[resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), variables('secretB'))]"
            ],
            "properties": {
                "secretA": "[concat('@Microsoft.KeyVault(SecretUri=', reference(variables('secretA')).secretUriWithVersion, ')')]",
                "secretB": "[concat('@Microsoft.KeyVault(SecretUri=', reference(variables('secretB')).secretUriWithVersion, ')')]"
            }
        }
      ]
    }
  ]
}

With the above code, I see the following error:

##[error]InvalidTemplate: Deployment template validation failed: 'The template reference 'secretA' is not valid: could not find template resource or resource copy with this name.'

user989988
  • 3,006
  • 7
  • 44
  • 91

1 Answers1

3

if you want to reference an existing resource you need to supply API version:

reference(variables('secretA'), '2019-09-01').secretUriWithVersion

you can get api versions with the following:

( Get-AzResourceProvider -ProviderNamespace 'Microsoft.KeyVault' ).ResourceTypes | ft ResourceTypeName, ApiVersions
4c74356b41
  • 69,186
  • 6
  • 100
  • 141
  • Thank you - I tried: "secretA": "[concat('@Microsoft.KeyVault(SecretUri=', reference(variables('secretA'), '2019-09-01').secretUriWithVersion, ')')]" and I'm seeing same error. – user989988 Jun 21 '20 at 01:55
  • well, you probably need to use resourceId, instead of the secret name. I have no idea what you put in those variables. – 4c74356b41 Jun 21 '20 at 07:34
  • Could you please help me understand the difference between resource id and secret name? The variables I added are secret names. – user989988 Jun 21 '20 at 08:59
  • name is a name, id is an id (its unique). every resource has an id. https://stackoverflow.com/questions/42158208/how-to-output-secret-uri-in-arm-template – 4c74356b41 Jun 21 '20 at 09:02
  • Could you please let me know what this date 2019-09-01 indicates? – user989988 Feb 02 '21 at 00:32
  • api version, obviously – 4c74356b41 Feb 02 '21 at 05:10