Skip to content

Deployment exposes a secret in output#

Security · Deployment · Rule · 2022_06 · Critical

Outputting a sensitive value from deployment may leak secrets into deployment history or logs.

Description#

Don't include any values in an ARM template or Bicep output that could potentially expose secrets. The output from a template is stored in the deployment history, so a malicious user could find that information.

Examples of secrets are:

  • Parameters using the secureString or secureObject type.
  • Output from list* functions such as listKeys.

Outputs are recorded in clear texts within deployment history and logs. Logs are often exposed at multiple levels including CI pipeline logs, Azure Activity Logs, and SIEM systems.

Secret rotation — SE:09 Application secrets

If a secret has already been exposed by a previous insecure deployment, rotate it immediately to prevent unauthorized access to your resources.

Rotating a secret involves changing or regenerating the secret value and updating all dependent resources with the new value. This process should be done in a secure manner to prevent the new secret from being exposed.

Recommendation#

Consider removing any output values that return secret values in code.

Examples#

Configure with Azure template#

To deploy securely pass secrets within Infrastructure as Code:

  • Define parameters with the secureString or secureObject type.
  • Avoid returning a secret in output values.

Example using secureString type:

Azure Template snippet
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "adminPassword": {
      "type": "secureString",
      "metadata": {
        "description": "Local administrator password for virtual machine."
      }
    }
  },
  "resources": []
}

The following example fails because it returns a secret:

Azure Template snippet
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "adminPassword": {
      "type": "secureString",
      "metadata": {
        "description": "Local administrator password for virtual machine."
      }
    }
  },
  "resources": [],
  "outputs": {
    "accountPassword": {
      "type": "string",
      "value": "[parameters('adminPassword')]"
    }
  }
}

Configure with Bicep#

To deploy securely pass secrets within Infrastructure as Code:

  • Add the @secure() decorators on sensitive parameters.
  • Avoid returning a secret in output values.

Example using @secure() annotation:

Azure Bicep snippet
@secure()
@description('Local administrator password for virtual machine.')
param adminPassword string

The following example fails because it returns a secret:

Azure Bicep snippet
output accountPassword string = adminPassword

Comments