Deploying Multi-Line Values in ARM Templates

Have you ever had trouble deploying an ARM template due to multi-line secrets stored in Azure Key Vault? Recently, I encountered an issue while deploying a Logic App that used an SFTP connection with SSH authentication. The problem arose when trying to retrieve a multi-line private key from Azure Key Vault without it getting corrupted.

The challenge stemmed from how Azure Key Vault handles multi-line secrets. When retrieved, Key Vault automatically adds line breaks (\n), causing the private key to become invalid.

To solve this, I encoded the private key as Base64 and stored it in the Key Vault.

Here’s a snippet of the PowerShell script I used:

# Define your Azure Key Vault details
$vaultName = "your-keyvault-name"
$secretName = "your-private-key"    
$keyFilePath = "C:\...."

# Read the content of the private key file
$privateKeyContent = Get-Content -Raw -Path $keyFilePath

# Convert the private key content to Base64 encoding
$base64EncodedPrivateKey = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($privateKeyContent))

# Set the secret in Azure Key Vault
az keyvault secret set --vault-name $vaultName --name $secretName --value $base64EncodedPrivateKey

With the private key stored securely in Key Vault as Base64, I could now retrieve and decode it during deployment. This solution can be applied to any scenario requiring multi-line characters to be passed to an ARM template using the base64ToString template function, like so under the “sshPrivateKey” section:

{
  "type": "Microsoft.Web/connections",
  "apiVersion": "2016-06-01",
  "name": "[variables('sftp_1_Connection_Name')]",
  "location": "[parameters('LogicAppLocation')]",
  "kind": "V1",
  "properties": {
    "displayName": "[variables('sftp_1_Connection_Name')]",
    "parameterValues": {
      "hostName": "",
      "userName": "",
      "password": "",
      "portNumber": "",
      "sshPrivateKey": "[base64ToString(parameters('sftp_1_sshPrivateKey'))]",          
      "sshPrivateKeyPassphrase": "[parameters('sftp_1_sshPrivateKeyPassphrase')]",
      "acceptAnySshHostKey": true,
      "sshHostKeyFingerprint": ""
    },
    "api": {
      "id": "[concat(subscription().id, '/providers/Microsoft.Web/locations/', parameters('LogicAppLocation'), '/managedApis/sftpwithssh')]"
    }
  }
}