Encrypted variable cannot be called in ARM template

[slavizh]

You can set encrypted variable via ARM but you cannot output the value from that variable. Let's say that we have the following code in output section: "primarykey": { "value": "[reference(Concat('Microsoft.Automation/automationAccounts/', parameters('omsAutomationAccountName'), '/variables/', variables('variableNameOmsAutomationAccountPrimaryKey')), parameters('omsAutomationApiVersion')).value]", "type": "securestring" }

In the output the value is not there. It works for non encrypted values. It will be good if these values can be used in ARM

[elcooper]

Thanks for this feedback! This would actually be a feature owned by the ARM team that the Automation team would inherit. I’ve sent it over to their team though, but you may want to provide this feedback directly to them.

Also, since the variable is encrypted what are you getting from it?

From: Stanislav Zhelyazkov [mailto:notifications@github.com] Sent: Wednesday, February 17, 2016 11:39 PM To: azureautomation/automation-packs automation-packs@noreply.github.com Subject: [automation-packs] Encrypted variable cannot be called in ARM template (#10)

You can set encrypted variable via ARM but you cannot output the value from that variable. Let's say that we have the following code in output section: "primarykey": { "value": "[reference(Concat('Microsoft.Automation/automationAccounts/', parameters('omsAutomationAccountName'), '/variables/', variables('variableNameOmsAutomationAccountPrimaryKey')), parameters('omsAutomationApiVersion')).value]", "type": "securestring" }

In the output the value is not there. It works for non encrypted values. It will be good if these values can be used in ARM

— Reply to this email directly or view it on GitHubhttps://github.com/azureautomation/automation-packs/issues/10.

[slavizh]

I am hoping that when I get the value it will be unencrypted but I can used in other ARM deployments. Of course when I use it will use it in ARM deployment where it is passing it securely (protected settings, securestring) Automation can be used to storing some of these secrets in case a customer does not want to implement Key Vault. Also to reference Key Vault secret is not implemented across all azure resources.

In the example above ".value " does not exists at all when the call to ARM is made and because of that nothing is returned.

[jodoglevy]

We don't return the value of encrypted assets via our API, for security. I assume you created the asset via the ARM template as well, right? If so, can you just output the ARM template parameter value that you used for the variable value, when you created the variable in the ARM template?

[slavizh]

I've created the variables via template but the values in it are dummy values. After deployment I update them with runbook because I can put the values I want only by using PowerShell. So in short I cannot use those values in the ARM template :)

[jodoglevy]

" I can put the values I want only by using PowerShell." - what does this mean? Why can't the same be done via ARM template?

[slavizh]

Basically this is related to another thread we have. I need to get the primary access key for Automation account as well the shared keys for Log Analytics space. Those for now I can get them only from Azure PowerShell cmdlets. I thought I can overcome that by getting the value from encrypted variable but seems I hitting the same problem.

[jodoglevy]

Instead of creating a variable via PowerShell that holds the registration keys, create the automation account via PS. Then call Get-AARmRegInfo cmdlet, and pass those fields into the ARM template. No variable asset needed :)

[slavizh]

Yes probably that will be my next step to do ARM deployment via Powershell in a runbook :)