Skip to content

Use a valid secret reference#

Operational Excellence · All resources · Rule · 2021_09 · Awareness

Use a valid secret reference within parameter files.


When referencing secrets in a template parameter file:

  • The secret reference must be a valid Azure resource ID Key Vault.
  • A secret name must be specified.
  • An optional secret version can be specified.


Check the secret value Key Vault reference is valid.


Configure with Azure template#

To define Azure template parameter files that pass this rule:

  • When a secret is referenced from Key Vault, provide a valid resource ID and secret name.

For example:

Azure Template snippet
  "$schema": "",
  "contentVersion": "",
  "parameters": {
    "gatewayName": {
      "value": "gateway-A"
    "sku": {
      "value": "VpnGw1"
    "subnetId": {
      "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-A/subnets/GatewaySubnet"
    "sharedKey": {
      "reference": {
        "keyVault": {
          "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.KeyVault/vaults/kv-001"
        "secretName": "valid-secret"


This rule is deprecated from v1.36.0. By default, PSRule will not evaluate this rule unless explicitly enabled. See