I'm trying to find the best practices for managing secrets in Bicep, specifically for JWT keys. The issue is that I can't use Key Vault references since the Key Vault is created within the infrastructure as code (IaC). For most secrets, like connection strings, I can dynamically fetch them from previously created resources and insert them into Key Vault. However, I'm unsure how to handle JWT keys because hardcoding them into the IaC seems risky. Manually inserting them after the first pipeline run feels inefficient, and using methods like newGuid() could disrupt authenticated user sessions. Is there a smoother approach?
1 Answer
A solid way to manage your secrets is to use multi-staged Bicep deployments. Start with deploying the infrastructure, including the Azure Key Vault, followed by User-Assigned Managed Identity (UAMI) permissions, and finally the configuration. Storing the JWT in Key Vault might not be necessary since the client typically handles the JWT. However, if you do need the JWT secret for token signing, consider generating it outside of your template in your CI/CD pipeline using a secure CSPRNG. Then, pass it as a secure parameter during the first deploy and store it in Key Vault right away. After the initial setup, treat Key Vault as your source of truth for secrets without frequent rotations unless planned. This keeps your IaC clean by avoiding hardcoded secrets or messy workarounds.
That approach makes a lot of sense! It definitely aligns with keeping secrets out of code. Plus, handling it in the pipeline feels much cleaner over time.