Securely pass secrets to Custom Script Extensions for Virtual Machine#
Security · Virtual Machine · Rule · 2022_12 · Important
Custom Script Extensions scripts that reference secret values must use the protectedSettings.
Description#
Virtual Machines support the ability to execute custom scripts on launch. This can be configured via user data and custom script extensions. When the template is rendered, anything in the settings section will be rendered in clear text. To ensure they're kept secret, use the protectedSettings section instead.
Recommendation#
Consider specifying secure values within protectedSettings to avoid exposing secrets during extension deployments.
Examples#
Configure with Azure template#
To deploy VM extensions that pass this rule:
- Set any secure values within
properties.protectedSettings.
Azure Template snippet
{
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "installcustomscript",
"apiVersion": "2015-06-15",
"location": "australiaeast",
"properties": {
"publisher": "Microsoft.Azure.Extensions",
"type": "CustomScript",
"typeHandlerVersion": "2.0",
"autoUpgradeMinorVersion": true,
"protectedSettings": {
"commandToExecute": "Write-Output 'hello-world'"
}
}
}
Configure with Bicep#
To deploy VM extensions that pass this rule:
- Set any secure values within
properties.protectedSettings.
Azure Bicep snippet
resource script 'Microsoft.Compute/virtualMachines/extensions@2015-06-15' = {
name: 'installcustomscript'
location: location
properties: {
publisher: 'Microsoft.Azure.Extensions'
type: 'CustomScript'
typeHandlerVersion: '2.0'
autoUpgradeMinorVersion: true
protectedSettings: {
commandToExecute: 'Write-Output "hello-world"'
}
}
}
Links#
- Secure application configuration and dependencies
- Azure deployment reference
- Windows Custom Script Extensions
- Linux Custom Script Extensions