search

MicrosoftDocs / azure-docs

Open source documentation of Microsoft Azure
https://docs.microsoft.com/azure
Creative Commons Attribution 4.0 International
10.21k stars 21.36k forks source link

SecureString used in ARM template output parameter and pass to another nested template #104994

Closed philipktlin closed 1 year ago

philipktlin commented 1 year ago

I got error when I tried to use secureString type as an output parameter of a nested inline template, which is used to pass to another nested parameter. I found this closed issue https://github.com/MicrosoftDocs/azure-docs/issues/29578, but it doesn't help.

You may ask why not just use reference block in input parameter for nested template. The reason is that keyvault information is not always provided from inputs. Therefore I created a nested inline template to run conditionally to get value from keyvault secret; and originally want to return secureString and pass it to another nested template. Since secureString can't be used as output parameter. I would like to ask below questions:

ARM teamplate reference: https://msazure.visualstudio.com/One/_git/WindowsVirtualDesktop-Portal?path=/src/Extension/Extension/ArmTemplates/AutomatedHostpool/CreateAutomatedHostpoolTemplate.json

  1. is there any workaround to use secureString type for an output parameter?
  2. What is the implications if I use string type for an output parameter instead of secureString? any security concerns?

Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

ManoharLakkoju-MSFT commented 1 year ago

@philipktlin Thanks for your feedback! We will investigate and update as appropriate.

ManoharLakkoju-MSFT commented 1 year ago

@philipktlin It would be great if you could add a link to the documentation you are following for these steps? This would help us redirect the issue to the appropriate team. Thanks!

philipktlin commented 1 year ago

I based on this doc https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli#reference-secrets-with-dynamic-id; and apply it to my scenario. The main difference in my scenario is that the key vault and secret may not be provided all the time. Please feel free to ping me and I will be happy to explain the details of my scenario. thanks.

AnuragSingh-MSFT commented 1 year ago

@philipktlin thank you for sharing this feedback.

@mumian, can you please review this question and share your thoughts? Thank you

tfitzmac commented 1 year ago

@philipktlin - using a string output is not secure. The value would be visible to anyone who can see the deployment history.

philipktlin commented 1 year ago

@tfitzmac do this scenario make sense to you? or there is any other workaround? thanks.

tfitzmac commented 1 year ago

Could you use a nested template with scope set to inner that has a secureString for the password? Otherwise, I don't think there is a secure way of passing the value.

philipktlin commented 1 year ago

I will get the value outside ARM temlate as a workaround; but I think it is a valid scenario to support secureString type in nested template. thanks.