search

Azure-Samples / azure-search-openai-demo-csharp

A sample app for the Retrieval-Augmented Generation pattern running in Azure, using Azure Cognitive Search for retrieval and Azure OpenAI large language models to power ChatGPT-style and Q&A experiences.
MIT License
615 stars 403 forks source link

KeyVault secrets are passed to module w/o `secure()` decorator. #222

Open jongio opened 11 months ago

jongio commented 11 months ago

This app creates secrets in bulk, but passes those secrets from main.bicep w/o using the secure decorator. Those secrets with therefore be in plaintext in the Azure deployment.

Add secure() here.

https://github.com/Azure-Samples/azure-search-openai-demo-csharp/blob/fb1ca3248e693ea7acb04740c97526c5a49c82eb/infra/core/security/keyvault-secrets.bicep#L3

If that isn't possible, then remove the keyvault-secrets.bicep file and create them with individual module references and a secure decorator on the key.

LittleLittleCloud commented 11 months ago

image

LittleLittleCloud commented 11 months ago

@jongio Can you share an example on adding secure decorator to individual module?

jongio commented 11 months ago

I'd go this route:

If that isn't possible, then remove the keyvault-secrets.bicep file and create them with individual module references and a secure decorator on the key.

luisquintanilla commented 10 months ago

I'd go this route:

If that isn't possible, then remove the keyvault-secrets.bicep file and create them with individual module references and a secure decorator on the key.

@jongio do we have a sample of this?

luisquintanilla commented 9 months ago

@LittleLittleCloud are we okay to close this one?

jongio commented 9 months ago

I'd remove "secrets" file and set each one individually so they are passed securely.