Deploying Multi-Line Values in ARM Templates
Have you ever had trouble deploying an ARM template due to multi-line secrets stored in Azure Key Vault? Recently, I encountered an issue while deploying a Logic App that used an SFTP connection with SSH authentication. The problem arose when trying to retrieve a multi-line private key from Azure Key Vault without it getting corrupted.
The challenge stemmed from how Azure Key Vault handles multi-line secrets. When retrieved, Key Vault automatically adds line breaks (\n), causing the private key to become invalid.
To solve this, I encoded the private key as Base64 and stored it in the Key Vault.
Here’s a snippet of the PowerShell script I used:
# Define your Azure Key Vault details
$vaultName = "your-keyvault-name"
$secretName = "your-private-key"
$keyFilePath = "C:\...."
# Read the content of the private key file
$privateKeyContent = Get-Content -Raw -Path $keyFilePath
# Convert the private key content to Base64 encoding
$base64EncodedPrivateKey = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($privateKeyContent))
# Set the secret in Azure Key Vault
az keyvault secret set --vault-name $vaultName --name $secretName --value $base64EncodedPrivateKey
With the private key stored securely in Key Vault as Base64, I could now retrieve and decode it during deployment. This solution can be applied to any scenario requiring multi-line characters to be passed to an ARM template using the base64ToString template function, like so under the “sshPrivateKey” section:
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('sftp_1_Connection_Name')]",
"location": "[parameters('LogicAppLocation')]",
"kind": "V1",
"properties": {
"displayName": "[variables('sftp_1_Connection_Name')]",
"parameterValues": {
"hostName": "",
"userName": "",
"password": "",
"portNumber": "",
"sshPrivateKey": "[base64ToString(parameters('sftp_1_sshPrivateKey'))]",
"sshPrivateKeyPassphrase": "[parameters('sftp_1_sshPrivateKeyPassphrase')]",
"acceptAnySshHostKey": true,
"sshHostKeyFingerprint": ""
},
"api": {
"id": "[concat(subscription().id, '/providers/Microsoft.Web/locations/', parameters('LogicAppLocation'), '/managedApis/sftpwithssh')]"
}
}
}