There are many cases that we need to retrieve access keys and/or endpoints of Azure resources, as soon as they are deployed through ARM templates. Typical uses cases are:
outputs
section of ARM templates,outputs
section of nested ARM templates from their parent template,Due to the nature of individual Azure resources, populating those keys through ARM template outputs
section is not that easy. Rather it’s a bit tricky and not well documented. In this post, I’m going to list up how to get those keys and endpoints using ARM template functions.
NOTE: This is not a complete list, but the list contains ones quite frequently used. Therefore, if any of you know something not on the list, please let us know.
Azure Application Insights has an instrumentation key for other Azure resources to use. After it is deployed, the instrumentation key is found under its properties. Therefore, we need to use the reference()
function.
Here’s a sample ARM template to see the outputs
section:
Once Azure Cosmos DB instance is deployed, we might need to get at least three values – endpoint, access key and connection string. In order to get the endpoint details, the reference()
function provides it, which is not that hard. But fetching the access keys are not that easy.
In order to identify available resource functions, simply run the following Azure PowerShell cmdlet. It will show several operations that we can utilise in the outputs
section of ARM templates.
It returns two operations – listKeys
and listConnectionStrings
, which are corresponding to the resource functions of listKeys()
and listConnectionStrings()
. The listKeys()
function returns the access key. However, the other function, listConnectionStrings()
returns nothing. Apparently it has not been implemented yet. Therefore, in order to get the connection string, we should use the concat()
function to make-up the connection string. If we want to know the object structure that listKeys()
function returns, simply run the following Azure PowerShell cmdlet:
The listKeys()
function returns primaryMasterKey
and secondaryMasterKey
.
With this information, we can implement the outputs
section like this:
For Azure Service Bus, we can apply a similar approach to Azure Cosmos DB. In order to pull the endpoint, we can simply use the reference()
function, which is the same as Azure Cosmos DB. However, getting the access keys and connection strings is different. Let’s have a look.
In order to identify available resource functions, simply run the following Azure PowerShell cmdlet. It will show several operations that we can utilise in the outputs
section of ARM templates.
It returns one operation, listKeys
, in three different providers – Service Bus itself, Service Bus Queue and Service Bus Topic. We’re interested in the root one for now. If we want to know the object structure that listKeys()
function returns, simply run the following Azure PowerShell cmdlet:
Unlike Azure Cosmos DB, the listKeys()
function for Azure Service Bus doesn’t only return access key (primaryKey
), but also returns connection strings (primaryConnectionString
).
With this information, we can implement the outputs
section like this:
Azure Storage Account is similar to Azure Cosmos DB, in terms of providing the result after ARM template deployment – it provides only access keys through the listKeys()
function when it’s deployed, not the connection string. Therefore, we should make this up using the concat()
function.
In order to identify available resource functions, simply run the following Azure PowerShell cmdlet. It will show several operations that we can utilise in the outputs
section of ARM templates.
It returns three operation, listKeys
, listAccountSas
and listServiceSas
, but we only use the listKeys
operation for now. If we want to know the object structure that listKeys()
function returns, simply run the following Azure PowerShell cmdlet:
The listKeys()
function returns keys
as an array value.
With this information, we can implement the outputs
section like this:
In my previous post, Dynamic Access to Azure Functions Keys without KUDU Dependencies, we had walked through Azure REST API to get function keys from an Azure Functions app. In fact, we can also get those individual function keys through the ARM template’s outputs
section. By the way, this approach has a restriction. This can only access to individual function keys, not host key nor master key.
In order to identify available resource functions, simply run the following Azure PowerShell cmdlet. It will show several operations that we can utilise in the outputs
section of ARM templates.
It returns one operation, listSecrets
. As mentioned above, this requires individual function names to get their respective keys. If we want to know the object structure that listSecrets()
function returns, simply run the following Azure PowerShell cmdlet:
The listSecrets()
function returns key
property.
NOTE: We need to specify the API version to run this cmdlet, even though it’s an optional parameter; otherwise it will throw an error.
With this information, we can implement the outputs
section like this:
When an Azure Logic Apps instance is deployed, the instance has an endpoint URL. However, we only knows when it is created. In addition to this, the endpoint URL comes with a SAS token, which we have no idea how it’s generated. Therefore, we need to identify those values. Make sure that we only get the endpoint URL, if the Logic App instance is an HTTP trigger.
In order to identify available resource functions, simply run the following Azure PowerShell cmdlet. It will show several operations that we can utilise in the outputs
section of ARM templates.
It returns the listCallbackUrl
operation. If we want to know the object structure that listCallbackUrl()
function returns, simply run the following Azure PowerShell cmdlet:
The listCallbackUrl()
function returns value
, basePath
and queries
properties.
NOTE: We need to specify the API version to run this cmdlet, even though it’s an optional parameter; otherwise it will throw an error.
With this information, we can implement the outputs
section like this:
So far, we have identified how we can utilise the outputs
sections of ARM templates using various template functions. As we can see above, Each Azure resource has all different implementations to get keys, endpoints and connection strings. Some are directly using the reference()
function, the others are using either listKeys()
or listWhatever()
functions to get those values. Even worse, the object returned by listKeys()
or listWhatever()
has all different structure. Having a different structure is fine for each Azure resource, but they could have been documented in a better way. I hope this post would help figure out how to utilise the outputs
section with more ease.
This has been cross-posted to Dev Kimchi.