1# Key Vault - Bicep Patterns
2 
3## Basic Vault
4 
5```bicep
6resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' = {
7  name: '${resourcePrefix}-kv-${uniqueHash}'
8  location: location
9  properties: {
10    tenantId: subscription().tenantId
11    sku: {
12      family: 'A'
13      name: 'standard'
14    }
15    enableRbacAuthorization: true
16    enableSoftDelete: true
17    softDeleteRetentionInDays: 90
18    enablePurgeProtection: true
19  }
20}
21```
22 
23## Storing Secrets
24 
25```bicep
26resource secret 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = {
27  parent: keyVault
28  name: 'database-connection-string'
29  properties: {
30    value: databaseConnectionString
31  }
32}
33```
34 
35## Role Assignment (Managed Identity)
36 
37```bicep
38resource keyVaultRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
39  name: guid(keyVault.id, principalId, 'Key Vault Secrets User')
40  scope: keyVault
41  properties: {
42    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')
43    principalId: principalId
44    principalType: 'ServicePrincipal'
45  }
46}
47```
48 
49## Referencing in App Service / Functions
50 
51```bicep
52appSettings: [
53  {
54    name: 'DATABASE_URL'
55    value: '@Microsoft.KeyVault(VaultName=${keyVault.name};SecretName=database-connection-string)'
56  }
57]
58```
59 
60## Referencing in Container Apps
61 
62```bicep
63secrets: [
64  {
65    name: 'db-connection'
66    keyVaultUrl: '${keyVault.properties.vaultUri}secrets/database-connection-string'
67    identity: containerApp.identity.principalId
68  }
69]
70```
71 
72## Secret with Expiration
73 
74```bicep
75resource secret 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = {
76  parent: keyVault
77  name: 'api-key'
78  properties: {
79    value: apiKey
80    attributes: {
81      exp: dateTimeToEpoch(dateTimeAdd(utcNow(), 'P90D'))
82    }
83  }
84}
85```
86