Azure · levimatheri · Mar 14, 2026 · Mar 14, 2026 · Mar 16, 2026 · Mar 16, 2026
diff --git a/src/Bicep.Core.IntegrationTests/Emit/ParamsFileWriterTests.cs b/src/Bicep.Core.IntegrationTests/Emit/ParamsFileWriterTests.cs
@@ -92,6 +92,48 @@ param myParam string
           """)]
         [DataRow(@"
 using 'main.bicep'
+param myParam = getSecret(
+  externalInput('subId'),
+  externalInput('rgName'),
+  externalInput('kvName'),
+  externalInput('secretName'),
+  externalInput('secretVersion'))", @"
+{
+  ""$schema"": ""https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#"",
+  ""contentVersion"": ""1.0.0.0"",
+  ""parameters"": {
+    ""myParam"": {
+      ""reference"": {
+        ""keyVault"": {
+          ""id"": ""[resourceId(externalInputs('subId_0'), externalInputs('rgName_1'), 'Microsoft.KeyVault', 'vaults', externalInputs('kvName_2'))]""
+        },
+        ""secretName"": ""[externalInputs('secretName_3')]"",
+        ""secretVersion"": ""[externalInputs('secretVersion_4')]""
+      }
+    }
+  },
+  ""externalInputDefinitions"": {
+    ""kvName_2"": {
+      ""kind"": ""kvName""
+    },
+    ""rgName_1"": {
+      ""kind"": ""rgName""
+    },
+    ""secretName_3"": {
+      ""kind"": ""secretName""
+    },
+    ""secretVersion_4"": {
+      ""kind"": ""secretVersion""
+    },
+    ""subId_0"": {
+      ""kind"": ""subId""
+    }
+  }
+}", @"
+param myParam string
+")]
+        [DataRow(@"
+using 'main.bicep'
 param myParam = 1", @"
 {
   ""$schema"": ""https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#"",
@@ -256,33 +298,6 @@ param myParam object
   }
 }", @"
 param myParam object
-")]
-
-        [DataRow(@"
-using 'main.bicep'
-
-//multiple parameters
-param myStr = 'foo'
-param myBool = false
-param myInt = 1", @"
-{
-  ""$schema"": ""https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#"",
-  ""contentVersion"": ""1.0.0.0"",
-  ""parameters"": {
-    ""myStr"": {
-      ""value"": ""foo""
-    },
-    ""myBool"": {
-      ""value"": false
-    },
-    ""myInt"": {
-      ""value"": 1
-    }
-  }
-}", @"
-param myStr string
-param myBool bool
-param myInt int
 ")]
         public void Params_file_with_no_errors_should_compile_correctly(string paramsText, string paramsJsonText, string bicepText)
         {

diff --git a/src/Bicep.Core.IntegrationTests/ParameterFileTests.cs b/src/Bicep.Core.IntegrationTests/ParameterFileTests.cs
@@ -241,6 +241,105 @@ invalid file
         });
     }
 
+    [TestMethod]
+    public void GetSecret_without_expressions_in_parameters_generates_expected_keyVault_reference()
+    {
+        var result = CompilationHelper.CompileParams(
+("parameters.bicepparam", """
+using none
+param foo = getSecret('subId', 'rgName', 'kvName', 'secretName', 'secretVersion')
+param bar = getSecret('subId', 'rgName', 'kvName', 'secretName')
+"""));
+        result.Should().NotHaveAnyDiagnostics();
+        var parameters = TemplateHelper.ConvertAndAssertParameters(result.Parameters);
+        parameters["foo"].Reference.Should().NotBeNull();
+        parameters["foo"].Reference.Should().DeepEqual(new JObject
+        {
+            ["keyVault"] = new JObject
+            {
+                ["id"] = "/subscriptions/subId/resourceGroups/rgName/providers/Microsoft.KeyVault/vaults/kvName",
+            },
+            ["secretName"] = "secretName",
+            ["secretVersion"] = "secretVersion",
+        });
+
+        parameters["bar"].Reference.Should().NotBeNull();
+        parameters["bar"].Reference.Should().DeepEqual(new JObject
+        {
+            ["keyVault"] = new JObject
+            {
+                ["id"] = "/subscriptions/subId/resourceGroups/rgName/providers/Microsoft.KeyVault/vaults/kvName",
+            },
+            ["secretName"] = "secretName"
+        });
+    }
+
+    [TestMethod]
+    public void GetSecret_expressions_in_parameters_generates_expected_keyVault_reference()
+    {
+        var result = CompilationHelper.CompileParams(
+            ("parameters.bicepparam", """
+using none
+
+param foo = getSecret(
+  externalInput('subId'),
+  externalInput('rgName'),
+  externalInput('kvName'),
+  externalInput('secretName'),
+  externalInput('secretVersion'))
+
+var subId = externalInput('subId')
+var rgName = externalInput('rgName')
+var kvName = externalInput('kvName')
+var secretName = externalInput('secretName')
+
+param bar = getSecret(subId, rgName, kvName, secretName)
+"""));
+        result.Should().NotHaveAnyDiagnostics();
+        var parameters = TemplateHelper.ConvertAndAssertParameters(result.Parameters);
+        parameters["foo"].Reference.Should().NotBeNull();
+        parameters["foo"].Reference.Should().DeepEqual(new JObject
+        {
+            ["keyVault"] = new JObject
+            {
+                ["id"] = "[resourceId(externalInputs('subId_0'), externalInputs('rgName_1'), 'Microsoft.KeyVault', 'vaults', externalInputs('kvName_2'))]"
+            },
+            ["secretName"] = "[externalInputs('secretName_3')]",
+            ["secretVersion"] = "[externalInputs('secretVersion_4')]"
+        });
+        parameters["bar"].Reference.Should().NotBeNull();
+        parameters["bar"].Reference.Should().DeepEqual(new JObject
+        {
+            ["keyVault"] = new JObject
+            {
+                ["id"] = "[resourceId(externalInputs('subId_0'), externalInputs('rgName_1'), 'Microsoft.KeyVault', 'vaults', externalInputs('kvName_2'))]"
+            },
+            ["secretName"] = "[externalInputs('secretName_3')]"
+        });
+
+        var externalInputs = TemplateHelper.ConvertAndAssertExternalInputs(result.Parameters);
+        externalInputs["subId_0"].Should().DeepEqual(new JObject
+        {
+            ["kind"] = "subId",
+        });
+        externalInputs["rgName_1"].Should().DeepEqual(new JObject
+        {
+            ["kind"] = "rgName",
+        });
+        externalInputs["kvName_2"].Should().DeepEqual(new JObject
+        {
+            ["kind"] = "kvName",
+        });
+        externalInputs["secretName_3"].Should().DeepEqual(new JObject
+        {
+            ["kind"] = "secretName",
+        });
+        externalInputs["secretVersion_4"].Should().DeepEqual(new JObject
+        {
+            ["kind"] = "secretVersion",
+        });
+    }
+
     [TestMethod]
     public void ExternalInput_without_config_compiles_successfully()
     {

diff --git a/src/Bicep.Core.IntegrationTests/TemplateHelper.cs b/src/Bicep.Core.IntegrationTests/TemplateHelper.cs
@@ -20,7 +20,7 @@ namespace Bicep.Core.IntegrationTests
 {
     public class TemplateHelper
     {
-        public record ParameterProperties(JToken? Value, JToken? Expression);
+        public record ParameterProperties(JToken? Value, JToken? Expression, JToken? Reference);
         public static ImmutableDictionary<string, ParameterProperties> ConvertAndAssertParameters(JToken? parametersJToken)
         {
             if (parametersJToken is null)
@@ -33,7 +33,7 @@ public static ImmutableDictionary<string, ParameterProperties> ConvertAndAssertP
             var parametersObject = parametersJToken["parameters"] as JObject;
             parametersObject.Should().NotBeNull();
 
-            return parametersObject!.Properties().ToImmutableDictionary(x => x.Name, x => new ParameterProperties(x.Value["value"], x.Value["expression"]));
+            return parametersObject!.Properties().ToImmutableDictionary(x => x.Name, x => new ParameterProperties(x.Value["value"], x.Value["expression"], x.Value["reference"]));
         }
 
         public static JObject ConvertAndAssertExternalInputs(JToken? parametersJToken)

diff --git a/src/Bicep.Core.Samples/Files/baselines_bicepparam/Expressions/main.bicep b/src/Bicep.Core.Samples/Files/baselines_bicepparam/Expressions/main.bicep
@@ -3,3 +3,7 @@ param myInt int
 param myBool bool
 param myArray array
 param myObject object
+@secure()
+param kvSecret string
+@secure()
+param kvSecretExpression string
diff --git a/src/Bicep.Core.Samples/Files/baselines_bicepparam/Expressions/parameters.bicepparam b/src/Bicep.Core.Samples/Files/baselines_bicepparam/Expressions/parameters.bicepparam
@@ -76,3 +76,10 @@ THis
       multiline
         string!
 '''
+param kvSecret = az.getSecret('subId', 'rgName', 'kvName', 'secretName', 'secretVersion')
+param kvSecretExpression = az.getSecret(
+  externalInput('subId'), 
+  externalInput('rgName'), 
+  externalInput('kvName'), 
+  externalInput('secretName'), 
+  externalInput('secretVersion'))
diff --git a/...cep.Core.Samples/Files/baselines_bicepparam/Expressions/parameters.diagnostics.bicepparam b/...cep.Core.Samples/Files/baselines_bicepparam/Expressions/parameters.diagnostics.bicepparam
@@ -76,4 +76,11 @@ THis
       multiline
         string!
 '''
+param kvSecret = az.getSecret('subId', 'rgName', 'kvName', 'secretName', 'secretVersion')
+param kvSecretExpression = az.getSecret(
+  externalInput('subId'), 
+  externalInput('rgName'), 
+  externalInput('kvName'), 
+  externalInput('secretName'), 
+  externalInput('secretVersion'))
 
diff --git a/...Bicep.Core.Samples/Files/baselines_bicepparam/Expressions/parameters.formatted.bicepparam b/...Bicep.Core.Samples/Files/baselines_bicepparam/Expressions/parameters.formatted.bicepparam
@@ -76,3 +76,11 @@ THis
       multiline
         string!
 '''
+param kvSecret = az.getSecret('subId', 'rgName', 'kvName', 'secretName', 'secretVersion')
+param kvSecretExpression = az.getSecret(
+  externalInput('subId'),
+  externalInput('rgName'),
+  externalInput('kvName'),
+  externalInput('secretName'),
+  externalInput('secretVersion')
+)
diff --git a/src/Bicep.Core.Samples/Files/baselines_bicepparam/Expressions/parameters.json b/src/Bicep.Core.Samples/Files/baselines_bicepparam/Expressions/parameters.json
@@ -130,6 +130,41 @@
     },
     "myString": {
       "value": "THis\n  is\n    a\n      multiline\n        string!\n"
+    },
+    "kvSecret": {
+      "reference": {
+        "keyVault": {
+          "id": "/subscriptions/subId/resourceGroups/rgName/providers/Microsoft.KeyVault/vaults/kvName"
+        },
+        "secretName": "secretName",
+        "secretVersion": "secretVersion"
+      }
+    },
+    "kvSecretExpression": {
+      "reference": {
+        "keyVault": {
+          "id": "[resourceId(externalInputs('subId_0'), externalInputs('rgName_1'), 'Microsoft.KeyVault', 'vaults', externalInputs('kvName_2'))]"
+        },
+        "secretName": "[externalInputs('secretName_3')]",
+        "secretVersion": "[externalInputs('secretVersion_4')]"
+      }
+    }
+  },
+  "externalInputDefinitions": {
+    "kvName_2": {
+      "kind": "kvName"
+    },
+    "rgName_1": {
+      "kind": "rgName"
+    },
+    "secretName_3": {
+      "kind": "secretName"
+    },
+    "secretVersion_4": {
+      "kind": "secretVersion"
+    },
+    "subId_0": {
+      "kind": "subId"
     }
   }
 }
diff --git a/src/Bicep.Core.Samples/Files/baselines_bicepparam/Expressions/parameters.symbols.bicepparam b/src/Bicep.Core.Samples/Files/baselines_bicepparam/Expressions/parameters.symbols.bicepparam
@@ -89,4 +89,13 @@ THis
       multiline
         string!
 '''
+param kvSecret = az.getSecret('subId', 'rgName', 'kvName', 'secretName', 'secretVersion')
+//@[06:14) ParameterAssignment kvSecret. Type: string. Declaration start char: 0, length: 89
+param kvSecretExpression = az.getSecret(
+//@[06:24) ParameterAssignment kvSecretExpression. Type: string. Declaration start char: 0, length: 189
+  externalInput('subId'), 
+  externalInput('rgName'), 
+  externalInput('kvName'), 
+  externalInput('secretName'), 
+  externalInput('secretVersion'))