Skip to content

Securely pass secrets to Custom Script Extensions for Virtual Machine Scale Sets#

Security · Virtual Machine Scale Sets · Rule · 2022_12

Custom Script Extensions scripts that reference secret values must use the protectedSettings.

Description#

Virtual Machines Scale Sets support the ability to execute custom scripts on launch. This can be configured via user data and custom script extensions. When the template is rendered, anything in the settings section will be rendered in clear text. To ensure they're kept secret, use the protectedSettings section instead.

Recommendation#

Consider specifying secure values within properties.extensionProfile.extensions.protectedSettings to avoid exposing secrets during extension deployments.

Examples#

To deploy VMSS extensions that pass this rule:

  • Set any secure values within properties.extensionProfile.extensions.protectedSettings

Configure with Azure template#

Azure Template snippet
"extensionProfile": {
  "extensions": [
    {
      "name": "customScript",
      "properties": {
          "publisher": "Microsoft.Compute",
          "protectedSettings": {
              "commandToExecute": "Write-Output 'example'"
          },
          "typeHandlerVersion": "1.8",
          "autoUpgradeMinorVersion": true,
          "type": "CustomScriptExtension"
      }
    }
  ]
}

Configure with Bicep#

To deploy VMSS extensions that pass this rule:

  • Set any secure values within properties.extensionProfile.extensions.protectedSettings
Azure Bicep snippet
extensionProfile: {
  extensions: [
    {
      name: 'customScript'
      properties: {
        publisher: 'Microsoft.Compute'
        protectedSettings: {
          commandToExecute: 'Write-Output "example"'
        },
        typeHandlerVersion: '1.8'
        autoUpgradeMinorVersion: true
        type: 'CustomScriptExtension'
      }
    }
  ]
}

Comments