Could you clarify in this document if using @Secure in bicep template means you cannot use a bicepparam file?

[electronicpost]

This document doesn't reference about parameter files, specifically bicepparam. JSON parameter files do not care if parameters are missing and will just prompt for them at deployment. However a bicepparam file compliains if a parameter is missing, there doesn't seem to be a way to handle deploying a keyvault and inputting secrets as part of the deployment.

Once they are in the keyvault I can see if there is a function to reference them for other deployment uses, but I am specifically referring to when you create a keyvault and also create some secrets within it.

Thanks
Mick

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: 1c66dbe4-1959-fe57-d445-b8658e8f1b7e
• Version Independent ID: f5809176-8c97-a4a3-644a-01b7a5e556d5
• Content: Azure Quickstart - Create an Azure key vault and a secret using Bicep
• Content Source: articles/key-vault/secrets/quick-create-bicep.md
• Service: key-vault
• Sub-service: secrets
• GitHub Login: @msmbaldwin
• Microsoft Alias: mbaldwin

[AjayBathini-MSFT]

@electronicpost
Thanks for your feedback! We will investigate and update as appropriate.

[SaibabaBalapur-MSFT]

@electronicpost
I'm going to assign this to the document author so they can take a look at it accordingly.

@msmbaldwin
please review it.

[mumian]

@alex-frankel - Do you have any suggestions for this situation?

[alex-frankel]

@stephaniezyen - can you take a look?

@electronicpost can you also share some more details about the bicep code you are looking to write? It is possible to provide a keyvault reference for an @secure() param in bicepparams.

[electronicpost]

Do you have a simple example? I'm assuming there is a method so the secure param is not in plain text somewhere.

I've not yet used bicepparam (over JSON), just when I initially tested (as mentioned) it would not validate the deployment whilst a parameter was missing from it. As mentioned with json you get promoted to type in the missing, then if it is secure it also hides the input (like a password entry).

[electronicpost]

So this is an extract from a deployment for the key vault, secrets and private endpoint...

targetScope = 'resourceGroup'
param location string = resourceGroup().location

@description('General Naming Parameters')
param numSuffix string
param uniqueStr string = uniqueString(resourceGroup().name)
param defaultNameSuffix string = '${uniqueStr}-${numSuffix}'

@description('KeyVault Secrets')
@secure()
param SpClientId string
@secure()
param SpTenantId string
@secure()
param SpSecret string
@secure()
param mtsApiKey string

resource keyVault 'Microsoft.KeyVault/vaults@2023-02-01' = {
  name: 'kv-${defaultNameSuffix}'
  location: location
  properties: {
    enabledForDeployment: false
    enabledForDiskEncryption: false
    enabledForTemplateDeployment: false
    enablePurgeProtection: true
    enableRbacAuthorization: true
    enableSoftDelete: true
    softDeleteRetentionInDays: 7
    sku: {
      family: 'A'
      name: 'standard'
    }
    tenantId: subscription().tenantId
    networkAcls: {
      bypass: 'AzureServices'
      defaultAction: 'Deny'
      ipRules: ipRules
    }
  }
}

output keyVaultResourceId string = keyVault.id
output keyVaultUri string = keyVault.properties.vaultUri

resource secSpClientId 'Microsoft.KeyVault/vaults/secrets@2023-02-01' = {
  name: 'SpClientId'
  parent: keyVault
  properties: {
    value: SpClientId
  }
}

resource secSpTenantId 'Microsoft.KeyVault/vaults/secrets@2023-02-01' = {
  name: 'SpTenantId'
  parent: keyVault
  properties: {
    value: SpTenantId
  }
}

resource secSpSecret 'Microsoft.KeyVault/vaults/secrets@2023-02-01' = {
  name: 'SpSecret'
  parent: keyVault
  properties: {
    value: SpSecret
  }
}

resource secApiKey 'Microsoft.KeyVault/vaults/secrets@2023-02-01' = {
  name: 'apiKey'
  parent: keyVault
  properties: {
    value: mtsApiKey
  }
}

module kvPrivateEndpoint '../../modules/generic-private-endpoint.bicep' = {
  dependsOn: [
    monitoringVnet
  ]
  name: 'kv-pvt-endpoint'
  params: {
    location: location
    nameSuffix: keyVault.name
    peGroups: ['vault']
    plsId: keyVault.id
    snetId: monitoringVnet.outputs.snetMainId
  }
}

I leave the 4 secrets out of the JSON parameters file, this then allows them to be prompted when the deployment is submitted.

Hope this helps.

Mick