Skip to content

Secret value in deployment output#

Security · Deployment · 2022_06

Avoid outputting sensitive deployment values.

Description#

Don't include any values in an ARM template or Bicep output that could potentially expose secrets. The output from a template is stored in the deployment history, so a malicious user could find that information.

Examples of secrets are:

  • Parameters using the secureString or secureObject type.
  • Output from list* functions such as listKeys.

Recommendation#

Consider removing any output values that return secret values in code.

Examples#

Configure with Azure template#

To deploy securely pass secrets within Infrastructure as Code:

  • Define parameters with the secureString or secureObject type.
  • Avoid returning a secret in output values.

Example using secureString type:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "adminPassword": {
      "type": "secureString",
      "metadata": {
        "description": "Local administrator password for virtual machine."
      }
    }
  },
  "resources": []
}

The following example fails because it returns a secret:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "adminPassword": {
      "type": "secureString",
      "metadata": {
        "description": "Local administrator password for virtual machine."
      }
    }
  },
  "resources": [],
  "outputs": {
    "accountPassword": {
      "type": "string",
      "value": "[parameters('adminPassword')]"
    }
  }
}

Configure with Bicep#

To deploy securely pass secrets within Infrastructure as Code:

  • Mark secrets with the @secure() annotation.
  • Avoid returning a secret in output values.

Example using @secure() annotation:

@secure()
@description('Local administrator password for virtual machine.')
param adminPassword string

The following example fails because it returns a secret:

output accountPassword string = adminPassword

Last update: 2022-06-13