Secret value in deployment output#
Security · Deployment · Rule · 2022_06 · Critical
Avoid outputting sensitive deployment values.
Description#
Don't include any values in an ARM template or Bicep output that could potentially expose secrets. The output from a template is stored in the deployment history, so a malicious user could find that information.
Examples of secrets are:
- Parameters using the
secureString
orsecureObject
type. - Output from
list*
functions such aslistKeys
.
Recommendation#
Consider removing any output values that return secret values in code.
Examples#
Configure with Azure template#
To deploy securely pass secrets within Infrastructure as Code:
- Define parameters with the
secureString
orsecureObject
type. - Avoid returning a secret in output values.
Example using secureString
type:
Azure Template snippet
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"adminPassword": {
"type": "secureString",
"metadata": {
"description": "Local administrator password for virtual machine."
}
}
},
"resources": []
}
The following example fails because it returns a secret:
Azure Template snippet
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"adminPassword": {
"type": "secureString",
"metadata": {
"description": "Local administrator password for virtual machine."
}
}
},
"resources": [],
"outputs": {
"accountPassword": {
"type": "string",
"value": "[parameters('adminPassword')]"
}
}
}
Configure with Bicep#
To deploy securely pass secrets within Infrastructure as Code:
- Mark secrets with the
@secure()
annotation. - Avoid returning a secret in output values.
Example using @secure()
annotation:
Azure Bicep snippet
@secure()
@description('Local administrator password for virtual machine.')
param adminPassword string
The following example fails because it returns a secret:
Links#
- Pipeline secret management
- Test cases for ARM templates
- Outputs should not contain secrets
- List function