Edit

Quickstart: Create an Azure key vault and a secret using Bicep

Azure Key Vault is a cloud service that provides a secure store for secrets, such as keys, passwords, certificates, and other secrets. This quickstart focuses on the process of deploying a Bicep file to create a key vault and a secret.

Bicep is a domain-specific language (DSL) that uses declarative syntax to deploy Azure resources. It provides concise syntax, reliable type safety, and support for code reuse. Bicep offers the best authoring experience for your infrastructure-as-code solutions in Azure.

Prerequisites

  • If you don't have an Azure subscription, create a free account before you begin.

Review the Bicep file

The template used in this quickstart is from Azure Quickstart Templates.

@description('Specifies the name of the key vault.')
param keyVaultName string

@description('Specifies the Azure location where the key vault should be created.')
param location string = resourceGroup().location

@description('Specifies whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.')
param enabledForDeployment bool = false

@description('Specifies whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.')
param enabledForDiskEncryption bool = false

@description('Specifies whether Azure Resource Manager is permitted to retrieve secrets from the key vault.')
param enabledForTemplateDeployment bool = false

@description('Specifies the Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Get it by using Get-AzSubscription cmdlet.')
param tenantId string = subscription().tenantId

@description('Specifies whether the key vault is a standard vault or a premium vault.')
@allowed([
  'standard'
  'premium'
])
param skuName string = 'standard'

@description('Specifies all secrets {"secretName":"","secretValue":""} wrapped in a secure object.')
@secure()
param secretsObject object

resource kv 'Microsoft.KeyVault/vaults@2023-07-01' = {
  name: keyVaultName
  location: location
  properties: {
    enabledForDeployment: enabledForDeployment
    enabledForTemplateDeployment: enabledForTemplateDeployment
    enabledForDiskEncryption: enabledForDiskEncryption
    enableRbacAuthorization: true
    tenantId: tenantId
    enableSoftDelete: true
    softDeleteRetentionInDays: 90
    enablePurgeProtection: true
    sku: {
      name: skuName
      family: 'A'
    }
    networkAcls: {
      defaultAction: 'Allow'
      bypass: 'AzureServices'
    }
  }
}

resource secrets 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = [for secret in secretsObject.secrets: {
  name: secret.secretName
  parent: kv
  properties: {
    value: secret.secretValue
  }
}]

output location string = location
output name string = kv.name
output resourceGroupName string = resourceGroup().name
output resourceId string = kv.id

Two Azure resources are defined in the Bicep file:

Deploy the Bicep file

  1. Save the Bicep file as main.bicep to your local computer.

  2. Create a parameters file (for example, main.parameters.json) that supplies the secretsObject value:

    {
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "keyVaultName": { "value": "<vault-name>" },
    "secretsObject": {
      "value": {
        "secrets": [
          { "secretName": "adminpassword", "secretValue": "<your-secret-value>" }
        ]
      }
    }
  }
}

  3. Deploy the Bicep file by using either the Azure CLI or Azure PowerShell.

    az group create --name myResourceGroup --location eastus
az deployment group create --resource-group myResourceGroup --template-file main.bicep --parameters @main.parameters.json

    Note

    Replace <vault-name> with the name of the key vault, which must be globally unique within the vault.azure.net namespace. Replace <your-secret-value> with the secret value to store. Because secretsObject is declared as a secureObject, its value isn't logged or echoed back.

    When the deployment finishes, you should see a message indicating the deployment succeeded.

Assign a Key Vault RBAC role

The key vault created by this Bicep file uses Azure RBAC for authorization. To access secrets through the data plane (for example, by using the Azure CLI or Azure PowerShell), you need to assign yourself an appropriate role.

echo "Enter your key vault name:" &&
read keyVaultName &&
az role assignment create --role "Key Vault Secrets Officer" \
    --assignee-object-id $(az ad signed-in-user show --query id -o tsv) \
    --scope $(az keyvault show --name $keyVaultName --query id -o tsv)

Note

Role assignments might take a minute or two to propagate.

Review deployed resources

You can either use the Azure portal to check the key vault and the secret, or use the following Azure CLI or Azure PowerShell script to list the secret created.

echo "Enter your key vault name:" &&
read keyVaultName &&
az keyvault secret list --vault-name $keyVaultName &&
echo "Press [ENTER] to continue ..."

Clean up resources

When no longer needed, use the Azure portal, Azure CLI, or Azure PowerShell to delete the resource group and its resources.

az group delete --name myResourceGroup

Note

Deleting the resource group also deletes the key vault, but the vault then enters a soft-deleted state and remains recoverable for the retention period (90 days by default). The vault name remains reserved globally during that period, and because purge protection is enabled, the vault can't be purged early. For standard key vaults, soft-deleted vaults don't incur charges. For more information, see Key Vault soft-delete overview.

Next steps

In this quickstart, you created a key vault and a secret using Bicep and then validated the deployment. To learn more about Key Vault and Bicep, continue on to the articles below.

  • Last updated on