How to deploy Azure VM using ARM template and Password is in KeyVault!

We are going to deploy a VM using ARM template. The interesting part of this exercise is that we have stored the credential for this VM in Azure Key Vault and we will refer it from there itself.

ARM Templates are a mechanism to declare the objects you want to create in Azure Cloud in a JSON file format. ARM Templates are what really gives Azure the ability called “Infrastructure as code”. You can keep these templates in source control and managed like any other code file.

Azure Key Vault is a cloud service that provides a secure store for secrets. You can securely store keys, passwords, certificates, and other secrets.

  1. Working Azure Cloud Account.
  2. Knowledge and basic Understanding of Azure Cloud and ARM template deployment
  3. A VNet + Subnet created in which VM will be deployed or you can use ARM to deploy all this at once.
  4. A Key Vault where credential for this VM is stored as a secret

Please note while creating KeyVault, you have allowed access for ARM

Step 1 :

Create a template for VM deployment ! You can use Microsoft Library as a reference or you can build it by yourself. I have attached a example, don’t be afraid seeing the length of JSON :), its fairly simple. There is a parameter file I have also attached. The template is to build a VM using the configuration details which is going to be passed as parameter file.

Template -

Parameter file -

If you look at the template parameter file closely, there are parameters which are being referred in ARM template above. Before using this param file please update the values for vault resource group name , vnet name, subscription id etc. Replace those value as per the requirement.

** Did you see password is Null ! We can not use this template parameter for successful deployment as password is mandatory value.

Now the fun part. As a practise We should not keep the password as part of parameter file.That’s a security issue. But to create a VM we need to pass the password.

We know the password is in Key Vault. ARM templates provides a mechanism in which we can reference the Key Vault Secret directly as part of template.

Use reference key word and update your template accordingly.

"keyVault": {
"id": "/subscriptions/<subscription-id>/resourceGroups/<resgrpname>/providers/Microsoft.KeyVault/vaults/<vault-name>"
"secretName": "<secret-name>"


Step 2:

You can use Powershell, AZ Cli or SDK to deploy ARM template in Azure Cloud. This flexibility makes ARM templates very powerful. We will use az cli for the time being.

az deployment group create -name ExampleDeployment -resource-group rg-devops -template-file arm_temp.json -parameters @arm_template_param.json

Once deployment will start the template will use secret value stored in Key Vault and deploy it as part of VM.

This was very basic example of ARM template using Key Vault as part of secure data reference. I will come up with some more explanation in next post.

That’s it for this post.

Thanks and Keep Learning !

In quest of understanding How Systems Work !

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store