Skip to content

Securely pass secrets to Custom Script Extensions for Virtual Machine#

Security · Virtual Machine · Rule · 2022_12 · Important

Custom Script Extensions scripts that reference secret values must use the protectedSettings.

Description#

Virtual Machines support the ability to execute custom scripts on launch. This can be configured via user data and custom script extensions. When the template is rendered, anything in the settings section will be rendered in clear text. To ensure they're kept secret, use the protectedSettings section instead.

Recommendation#

Consider specifying secure values within protectedSettings to avoid exposing secrets during extension deployments.

Examples#

Configure with Azure template#

To deploy VM extensions that pass this rule:

  • Set any secure values within properties.protectedSettings.
Azure Template snippet
{
  "type": "Microsoft.Compute/virtualMachines/extensions",
  "name": "installcustomscript",
  "apiVersion": "2015-06-15",
  "location": "australiaeast",
  "properties": {
    "publisher": "Microsoft.Azure.Extensions",
    "type": "CustomScript",
    "typeHandlerVersion": "2.0",
    "autoUpgradeMinorVersion": true,
    "protectedSettings": {
        "commandToExecute": "Write-Output 'hello-world'"
    }
  }
}

Configure with Bicep#

To deploy VM extensions that pass this rule:

  • Set any secure values within properties.protectedSettings.
Azure Bicep snippet
resource script 'Microsoft.Compute/virtualMachines/extensions@2015-06-15' = {
  name: 'installcustomscript'
  location: location
  properties: {
    publisher: 'Microsoft.Azure.Extensions'
    type: 'CustomScript'
    typeHandlerVersion: '2.0'
    autoUpgradeMinorVersion: true
    protectedSettings: {
        commandToExecute: 'Write-Output "hello-world"'
    }
  }
}

Comments