Scenario
Deploy a Logic App’s API Connection (ex: Azure Blob Storage) while storing the credentials in Key Vault.
This example uses the Azure Blob Storage connector with the Authentication type as Access Key.
Services Used
- Azure Logic App (Consumption)
- Azure Key Vault
- Azure Storage Account
- Visual Studio Code Visual Studio Code - Code Editing. Redefined
- Extension Azure Resource Manager (ARM) Tools Azure Resource Manager (ARM) Tools - Visual Studio Marketplace
Steps
Storing Target Resource’s Credentials in Key Vault
Go to the Storage Account > Access keys and select the key which you’ll use to authenticate.
|
|
Go to the Key Vault and Create a secret. Store the Storage Account’s Access Key as the secret’s value.
|
|
Constructing the ARM Template
To get a sample template of the connector you want, go to a Logic App, and manually create a connection to that connector first.
Note: This example uses Azure Blob Storage connector, with the Authentication type as “Access Key”. You can use a different connector or authentication type.
Fill out these details and reate the connection |
|
Go to the newly created API Connection and select the Export template blade and Download or Copy the template into a text/JSON editor.
|
|
In the text editor, remove everything within the resources[] array field. It does not contain the authentication elements we need, which is the Storage Account’s Access Key in this case.
|
|
1. Go to the Edit API connection blade and enter dummy values in or edit any of the fields, so that the Portal will allow you to save it.
2. Go to the Developer Tools of your browser and start capturing a Network trace.
3. Click Save and you’ll see an entry with the API connection name.
4. Go to the Payload tab and scroll down to the Request Payload. Select View Source and copy everything. |
|
Paste the payload directly into the resource[] array in the text editor.
|
|
The Azure Resource Manager (ARM) Tools extension is handy if there are fields missing from the template. In this case, the apiVersion property was missing from the payload/template body, because it's usually sent as a query parameter in the API call.
|
|
Added the “apiVersion”: “2016-06-01” property to the template body of the API connection resource.
|
|
1. Create a new parameter in the parameters object which is going to store the Storage Account’s Access key.
2. Replace the hardcoded accessKey value with a reference to that parameter name.
3. Save this file as a JSON file. Example: Template.json
|
|
You can use the Azure Resource Manager (ARM) Tools extension in Visual Studio Code to easily generate the corresponding parameters file, or just create a new file in the same directory as the template file, example: Template.parameters.json
We need this parameters file to reference Key Vault.
|
|
Instead of storing a value as plaintext, replace the “value” object with a “reference” object. Here, the parameter references the Key Vault by its Resource ID and the Storage Account’s access key by the Key Vault’s Secret Name.
|
|
Deploying the ARM Template
In the Azure Portal, open the Cloud Shell. Use PowerShell or Azure CLI to deploy the templates. Upload both Template.json and Template.parameters.json files.
|
|
Run the following command to deploy them. Replace the ResouceGroupName, and both file names accordingly.
New-AzResourceGroupDeployment -ResourceGroupName ResourceGroupName -TemplateFile "Template.json" -TemplateParameterFile "Template.parameters.json" |
|
The API connection will be deployed as a new instance or replace the API connection if one already exists with the same name.
|
|
The API connection has successfully deployed with the credentials stored in Key Vault, and ready for use in the Logic App.
References
- Deploying the template and parameter files Tutorial - use parameter file to deploy template - Azure Resource Manager | Microsoft Docs
Published Apr 14, 2022
Version 1.0KalyaniD
Microsoft
Joined July 02, 2020
Azure Integration Services Blog
Follow this blog board to get notified when there's new activity