Fetch secret from existing kv using msi

[Strijd]

Hi
Is there a way to fetch a secret from existing kv resource with managed id
code:

resource kv 'Microsoft.KeyVault/vaults@2019-09-01' existing = {
  name: kvName
  scope: resourceGroup(subscription().subscriptionId, resourceGroup().name)
}

module getKv '../secrets/kv.bicep' = {
  name: 'kvfetch'
  params: {
    myPassword: kv.getSecret('wintenstorage')
  }
}

thanks

[brwilkinson]

Only a few specific resources E.g. Application Gateway support this, however those have implemented on the Application Gateway itself, since it can be assigned with a System OR User Assigned Managed Identity, which is delegated Certs/Secrets/Get via RBAC or Access Policy to the Keyvault to pull a certificate Etc.

Currently the only way to access secrets via a 'Deployment' is with parameters, which will have the `@secure' decorator.

e.g. So what you have in your kv.bicep Module file.

@secure()
param myPassword string

However that will be accessed under the permissions of the account that runs the Deployment. it should just need RBAC or Access Policy assigned to get secrets, plus action: MICROSOFT.KEYVAULT/VAULTS/DEPLOY/ACTION

The account that is running the deployment could be either a: User, A Service Principal or Managed Identity, that is logged into the AZ cli or AZ PowerShell. However there is no way to deploy as the user, then access the vault via a different context, such as Managed Identity.

[brwilkinson]

Hi @Strijd I wanted to check in to ensure you were okay with this answer OR if there were any other scenarios to consider for your question?

[brwilkinson]

Going to mark this as answered. Feel free to respond on open future discussions if you have any follow ups.