• Dana Epp

6 Ways to Pass Secrets to ARM Templates

I saw an interesting post from Justin Yoo on 6 Ways Passing Secrets to ARM Templates today. In the article, he provides details on six different ways that you can use to get secrets into your Azure Resource Manager templates, including:

  1. Use ARM Template Functions to Pass Values Internally

  2. Use "SecureString" to Pass Values via Parameters

  3. Integrate Azure Key Vault with ARM Templates Directly

  4. Integrate Azure Key Vault with ARM Templates Indirectly

  5. Integrate Azure Key Vault Task with Each CI/CD Pipeline

  6. Integrate Azure Key Vault with Common Library in CI/CD Pipeline

What I really liked about the post is that he breaks down the pros and cons of each method. One thing that was missing from the article is that when using Azure DevOps for the CI/CD pipeline that you want to use a special service connector with a limited access application-based service principle so when granting access to KeyVault you really are isolating it only to that process. Managed identities are useful here.

Overall though, great article to help you understand how to pass secrets into your ARM templates. Go check it out.