Dynamically retrieving azure storage account key in ARM template

Question

I am trying to automate creating an API Connection for a storage account in Azure using Resource Manager templates.

I am using the listKeys method in ARM to retrieve the access key of the storage account. I went through this question and it is not working for me. When I use the method in the outputs section of the template, it is working fine and successfully retrieving and displaying the access key.

"outputs": { "listKeysOutput": { "type": "string", "value": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storagename')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]" } }

However, when I try to use the same function inside a connection resource (as shown below), the template executes without any error. But on accessing the API Connection from the Azure portal, it says 'parameter is missing'.

"parameterValues": { "accesskey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storagename')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]", "accountName": "[parameters('storagename')]" }

Am I missing something here? Or the output of listKeys is not being accepted by the 'accesskey' property?

Answer 1

I had a similar experience a few months ago, and resolved it by using a connection string directly in my code and then passing the connection string into the connections. The value looked like this:

[concat('DefaultEndpointsProtocol=https;AccountName=',  variables('storageConfigs')[0].name,';AccountKey=', listKeys(resourceId('Microsoft.Storage/storageAccounts/',  variables('storageConfigs')[0].name), variables('defaultStorageApiVersion')).key1)]

I used a storage config object as an input, so that's why it looks like above you could replace variables('storageConfigs')[0].name with whatever name or variable function you use in your code. Looks like above it may be storagename

Answer 2

Two things that might be causing the issue:

1. Ensure the API Connection has a dependency on the storage account
2. Capitalise the key in "accessKey" (some things in templates are case sensitive)

Answer 3

@Naren, I recommend you can use this API function to get your Storage Key

POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{accountName}/listKeys?api-version={api-version}

You could get the same result as the template.

    {
  “keys”: [
    {
      “keyName”: “key1”,
      “value”: "key1Value”,
      “permissions”: “FULL”
    },
    {
      “keyName”: “key2”,
      “value”: "key2Value”,
      “permissions”: “FULL”
    },
  ]
}

Just for your reference: https://msdn.microsoft.com/en-us/library/mt163589.aspx

Answer 4

Dependency is indeed a requirement so that the storage account is already created before the deployment of the api connection is initiated.

The problem with the OP template code is the use of accesskey while the correct parameter name is accessKey (Note the capital K) for an Azure Blob api connection resource.

For anyone who struggles with the lack of documentation for the required parameters of API Connection resources - initiate this API Call:

https://management.azure.com/subscriptions/<YOUR SUBSCRIPTION ID>/providers/Microsoft.Web/locations/<YOUR LOCATION>/managedApis/<API TYPE>?api-version=2016-06-01

The <API TYPE> should be the api type of the connection to check for example azureblob , azurequeues or documentdb .

A description of all the expected parameters is returned along side other descriptive information for that resource.