Investigating the Secrets in ARM templates

Investigating the Secrets in ARM templates

Managing secrets in Azure Resource Manager (ARM) templates is crucial for securely handling sensitive information like passwords, connection strings, or API keys. Azure provides mechanisms to integrate Azure Key Vault for securely managing and referencing secrets during ARM template deployments. This can be done by passing secure values as parameters during the deployment process, ensuring sensitive data is not stored directly in the template files.

Key Concepts for Managing Secrets in ARM Templates

1. Create an Azure Key Vault to store the secrets.

2. Create a secret in the Key Vault.

3. Enable ARM access to the Key Vault for the deployment.

4. Reference secrets from the Key Vault in the parameter file.

5. Assign roles like Contributor or Owner to give access to the Key Vault.

6. Deploy the ARM template by passing in the parameter file.

Step 1: Create Key Vault and Secret Using Azure CLI/PowerShell

First, create a Key Vault where you will store your secrets, and then create a secret in that vault.

Azure CLI to Create Key Vault and Secret:

​x
1
# Variables
2
resourceGroup="myResourceGroup"
3
keyVaultName="myKeyVault"
4
secretName="mySecret"
5
secretValue="mySecretValue"
6

7
# Create Resource Group (if it doesn't exist)
8
az group create \
9
--name $resourceGroup \
10
--location eastus
11

12
# Create Key Vault
13
az keyvault create \
14
--name $keyVaultName \
15
--resource-group $resourceGroup \
16
--location eastus
17

18
# Create a secret in the Key Vault
19
az keyvault secret set \
20
--vault-name $keyVaultName \
21
--name $secretName \
22
--value $secretValue

PowerShell to Create Key Vault and Secret:

xxxxxxxxxx
22
1
# Variables
2
$resourceGroup = "myResourceGroup"
3
$keyVaultName = "myKeyVault"
4
$secretName = "mySecret"
5
$secretValue = "mySecretValue"
6

7
# Create Resource Group (if it doesn't exist)
8
New-AzResourceGroup `
9
-Name $resourceGroup `
10
-Location "East US"
11

12
# Create Key Vault
13
New-AzKeyVault `
14
-ResourceGroupName $resourceGroup `
15
-VaultName $keyVaultName `
16
-Location "East US"
17

18
# Create a secret in the Key Vault
19
Set-AzKeyVaultSecret `
20
-VaultName $keyVaultName `
21
-Name $secretName `
22
-Value $secretValue

After executing these commands, your secret will be securely stored in Azure Key Vault.

Step 2: Enable Azure Resource Manager (ARM) Access for Template Deployment

ARM templates must be able to access the secrets in the Key Vault. This requires enabling access for the ARM deployment process by assigning proper permissions to the Azure Resource Manager to read the secret from the Key Vault.

Assign a Role to Access the Key Vault:

The Contributor or Owner role should be assigned to the identity performing the deployment (typically the Managed Identity of the Azure Resource Manager).

You can assign these roles using the Azure CLI, PowerShell, or through the Azure Portal.

Azure CLI to Assign Contributor Role to Managed Identity:

xxxxxxxxxx
5
1
# Assign the "Contributor" role to the ARM service principal for the Key Vault
2
az role assignment create \
3
--assignee <your-managed-identity-client-id> \
4
--role "Contributor" \
5
--scope /subscriptions/<subscription-id>/resourceGroups/$resourceGroup/providers/Microsoft.KeyVault/vaults/$keyVaultName

PowerShell to Assign Contributor Role to Managed Identity:

xxxxxxxxxx
5
1
# Assign the "Contributor" role to the ARM service principal for the Key Vault
2
New-AzRoleAssignment `
3
-ObjectId <your-managed-identity-client-id> `
4
-RoleDefinitionName "Contributor" `
5
-Scope "/subscriptions/<subscription-id>/resourceGroups/$resourceGroup/providers/Microsoft.KeyVault/vaults/$keyVaultName"

This step ensures that the ARM template deployment process can access the secrets stored in the Key Vault.

Step 3: Reference the Key Vault Secret in the Parameter File (Not the Template)

It's best practice to store references to secrets in the parameter file rather than directly in the ARM template. This ensures that sensitive information, like passwords, is not hard-coded in your template.

Example of a Parameter File (parameters.json):

xxxxxxxxxx
25
1
{
2
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3
  "contentVersion": "1.0.0.0",
4
  "parameters": {
5
    "adminUsername": {
6
      "type": "string",
7
      "defaultValue": "adminuser",
8
      "metadata": {
9
        "description": "The admin username for the virtual machine."
10
      }
11
    },
12
    "adminPassword": {
13
      "type": "securestring",
14
      "reference": {
15
        "keyVault": {
16
          "id": "/subscriptions/<subscription-id>/resourceGroups/$resourceGroup/providers/Microsoft.KeyVault/vaults/$keyVaultName"
17
        },
18
        "secretName": "mySecret"
19
      },
20
      "metadata": {
21
        "description": "The admin password for the virtual machine, stored securely in Key Vault."
22
      }
23
    }
24
  }
25
}

In this example:

1. adminPassword is defined as a securestring.

2. The reference section specifies that the value for adminPassword should be retrieved from the Key Vault (mySecret).

3. The Key Vault ID is provided in the keyVault section.

Step 4: Enable Access to the Secret: Owner and Contributor Roles Grant Access

The Owner or Contributor roles grant permissions to access the secret, but you must ensure that the identity performing the deployment has permission to read the secret.

The Azure CLI or PowerShell is used to assign these roles to the managed identity that will deploy the ARM template. Ensure that the identity has the Secret Management permission.

Azure CLI to Assign "Reader" Role to Allow Access to Secret:

xxxxxxxxxx
5
1
# Assign "Reader" role to the managed identity to read the secret
2
az role assignment create \
3
--assignee <your-managed-identity-client-id> \
4
--role "Reader" \
5
--scope /subscriptions/<subscription-id>/resourceGroups/$resourceGroup/providers/Microsoft.KeyVault/vaults/$keyVaultName

Step 5: Deploy the Template and Pass in the Parameter File

Once the parameter file is ready, you can deploy the ARM template using the Azure CLI or Azure PowerShell, passing in the parameter file that references the secret in Key Vault.

Azure CLI Deployment:

xxxxxxxxxx
4
1
az deployment group create \
2
--resource-group $resourceGroup \
3
--template-file mainTemplate.json \
4
--parameters @parameters.json

PowerShell Deployment:

xxxxxxxxxx
4
1
New-AzResourceGroupDeployment `
2
-ResourceGroupName $resourceGroup `
3
-TemplateFile "mainTemplate.json" `
4
-TemplateParameterFile "parameters.json"

In these commands:

1. The --template-file points to the main ARM template (mainTemplate.json).

2. The --parameters or -TemplateParameterFile references the parameter file (parameters.json), which contains the reference to the secret stored in Azure Key Vault.

Summary of Steps

1. Create an Azure Key Vault and store a secret in it.

2. Enable ARM access to the Key Vault using the Contributor or Owner role.

3. Reference the Key Vault secret in the parameter file (parameters.json), not in the template.

4. Assign roles (Reader/Contributor/Owner) to grant access to the secret stored in Key Vault.

5. Deploy the ARM template using the parameter file to reference the secret during deployment.

Securing the Secrets

To ensure the security of your secrets:

1. Use Managed Identities for authentication rather than service principals or certificates.

2. Restrict access to the Key Vault using Azure policies, and enforce least-privilege access controls.

3. Use Key Vault access policies to ensure only authorized entities can read the secret.

If possible, consider enabling Key Vault firewall rules to restrict access to trusted networks and applications.

By following these practices, you can manage secrets securely and effectively during the deployment of Azure resources using ARM templates.