0

I'm using an Azure DevOps pipeline to deploy a Data Factory to various environments, using DevOps' ARM Template deployment task. This is where you specify a path to your ARMTemplateForFactory.json and ARMTemplateParametersForFactory.json and override template parameters accordingly.

My Data Factory has a Azure Function linked service. The Function App Url is automatically included as an ARM Template parameter such as MyFunctions_properties_typeProperties_functionAppUrl and I'm able to override it successfully. I'm also able to override the KeyVault url to my linked service KeyVault (these are both automatically included in ARMTemplateParametersForFactory.json). However, I also need to override the function key using a secret from my KeyVault, as seen in the ADF UI here:

enter image description here

How can I add this as an overridable ARM Template parameter, such that I can specify my secret name in Dev Ops as in this example below?

enter image description here

I've reviewed this guide for parameterizing linked services, but this makes no mention of how to set the parameter value from a DevOps ARM template task: https://learn.microsoft.com/en-us/azure/data-factory/parameterize-linked-services?tabs=data-factory I've tried adding a linked service parameter as described @(linkedservice().myParamName but this doesn't get added to the ARMTemplateParametersForFactory.json. Can I add it manually? What format would it follow?

I do know how, and am able to set an override for an ADF global parameter from the ARM template task, but it seems you can't use a global parameter in a linked service field... pipeline().globalParameters.myParamName is not a valid value to enter in the "Secret name" field.

I've also referenced https://learn.microsoft.com/en-us/azure/data-factory/continuous-integration-delivery-resource-manager-custom-parameters which suggests ways to customize the parameterization template, including this quote about parameterizing Linked Services:

The property secretAccessKey happens to be an AzureKeyVaultSecret (for example, in an Amazon S3 linked service). It's automatically parameterized as an Azure Key Vault secret and fetched from the configured key vault. You can also parameterize the key vault itself.

...but no specific example of how to actually do this.

How can I parameterize an Azure Function Linked Service's function key via KeyVault secret in my ARM Template deployment?

Improve this question
2
  • 1
    Is there a reason the secret name needs to be different across deployments? Usually see the secret name being the same as a scalable approach. Alternatively open up the ARMTemplateForFactory.json and confirm that the value is present to be overwritten. If it isn't in there it would need to be exposed before being able to accept an override. Commented May 24, 2023 at 16:54
  • Good question - in fact that's how I've had to work around this for now: the secret name is the same in each key vault, and I just have to override the vault url. One could argue this is actually preferred. But given that it seems we should be able to override this, I'd still like to know how if anyone has an answer. Commented May 25, 2023 at 17:31

1 Answer 1

Reset to default
1

This desired behavior is possible leveraging the manual adding of the Key Vault URL via the secret identifier. enter image description here

This URL will append the specific version of the secret; however, if you remove this after the endpoint it will get the latest version.

Here is how it is configured in my Key Vault: enter image description here

Then to confirm how this is configured in the parameters this is what the ARM template is expecting:

    "AzureKeyVault1_properties_typeProperties_baseUrl": {
    "type": "string",
    "defaultValue": "https://kv-comsosfeed-dev-eus.vault.azure.net/secrets/test"
}

Thus the parameter value passed into this either via override or defined separately in the parameters file would be the complete URL of the secret. This would allow for secret names to be different across environments. The caveat is this will increase the number of parameters with this approach i.e. multiple secrets in the same Key Vault would require a parameter for each Linked Service and there is the hard limit of 256.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.