Securely pass secrets to Custom Script Extensions for Virtual Machine Scale Sets

Security · Virtual Machine Scale Sets · Rule · 2022_12 · Important

Custom Script Extensions scripts that reference secret values must use the protectedSettings.

Description

Virtual Machines Scale Sets support the ability to execute custom scripts on launch. This can be configured via user data and custom script extensions. When the template is rendered, anything in the settings section will be rendered in clear text. To ensure they're kept secret, use the protectedSettings section instead.

Recommendation

Consider specifying secure values within properties.extensionProfile.extensions.protectedSettings to avoid exposing secrets during extension deployments.

Examples

To deploy VMSS extensions that pass this rule:

• Set any secure values within properties.extensionProfile.extensions.protectedSettings

Configure with Azure template

Azure Template snippet

"extensionProfile": {
  "extensions": [
    {
      "name": "customScript",
      "properties": {
          "publisher": "Microsoft.Compute",
          "protectedSettings": {
              "commandToExecute": "Write-Output 'example'"
          },
          "typeHandlerVersion": "1.8",
          "autoUpgradeMinorVersion": true,
          "type": "CustomScriptExtension"
      }
    }
  ]
}

Configure with Bicep

To deploy VMSS extensions that pass this rule:

• Set any secure values within properties.extensionProfile.extensions.protectedSettings

Azure Bicep snippet

extensionProfile: {
  extensions: [
    {
      name: 'customScript'
      properties: {
        publisher: 'Microsoft.Compute'
        protectedSettings: {
          commandToExecute: 'Write-Output "example"'
        },
        typeHandlerVersion: '1.8'
        autoUpgradeMinorVersion: true
        type: 'CustomScriptExtension'
      }
    }
  ]
}

Links

• SE:02 Secured development lifecycle
• Azure VMSS Extensions Overview
• Azure deployment reference

Comments