Terraform with Azure Key Vault to get secret value

[Joshua Falken]

In Terraform, you can indeed retrieve the value of a secret from Azure Key Vault using the azurerm_key_vault_secret data source. However, you are correct that the actual secret value is not directly exposed in the Terraform object due to security concerns. Instead, Terraform stores a reference to the secret.

Here’s how you can use the azurerm_key_vault_secret data source to retrieve a secret:

data "azurerm_key_vault_secret" "example" {
  name         = "example-secret"
  key_vault_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-resources/providers/Microsoft.KeyVault/vaults/example-key-vault"
}
output "secret_value" {
  value = data.azurerm_key_vault_secret.example.value
}

In the above example:

• example-secret is the name of the secret you want to retrieve.
• example-key-vault is the name of your Azure Key Vault.
• example-resources is the name of the resource group where your Azure Key Vault resides.

After running terraform apply, you can use terraform output secret_value to see the secret value. However, note that even though you can see the secret value in the Terraform output, it’s not recommended to store or expose secrets in plain text. It’s best practice to use solutions like Azure Key Vault to manage and securely access your secrets.

[Chris Pietschmann]

Here’s an article I wrote that shows this with more detail, and also includes referencing the Key Vault secret from an App Service app setting: https://build5nines.com/terraform-deploy-azure-app-service-with-key-vault-secret-integration/

build5nines.com

Terraform: Deploy Azure App Service With Key Vault Secret Integration | Build5Nines

One of the most popular cloud-native, PaaS (Platform as a Service) products in Microsoft Azure is Azure App Service. It enables you to easily deploy and host