Better support for SecureString parameters via Portal
I am developing a Blueprint with an ARM template artifact that allocates an Azure KeyVault (along with a few other resources in the stack).
- I would like to initialize several secrets via "securestring" parameters from the Portal.
- I would like to optionally update such secrets via subsequent assignment operations from the Portal.
To use "securestring" parameters currently, first requires initializing a reference Key Vault with the secrets in question. It's a catch-22 scenario. Also, since regular "string" type parameters show up in clear text in the deployment history, there is no secure way to initialize Key Vault secrets by simply applying a Blueprint in the Portal. Not without first initializing a Key Vault elsewhere.
Some possible improvements:
* Tweak the current UX so that the "securestring" type produces a dropdown with candidate source Key Vaults. Not ideal, but better than current.
* Allow the Portal to pass securestring objects to ARM template artifacts without an intermediary. This would be ideal.
Blueprints are an awesome orchestration tool. I think better support for securestring parameters would provide easier recovery from compromised credentials and/or performing standard key rotation ops.
Thanks for considering!