MicrosoftDocs / azure-docs

Open source documentation of Microsoft Azure
https://docs.microsoft.com/azure
Creative Commons Attribution 4.0 International
10.27k stars 21.45k forks source link

Admin password in deployment.template.json #28831

Closed StefanSchoof closed 5 years ago

StefanSchoof commented 5 years ago

Under Build and push images the point 3 says I have to add my acr admin account information into this file. How secure is this? If I understand correctly this are the credentials that the Devices are using to get images. Can every admin on a device read this values (and afterwards upload an evil image)? Why does this have to be the admin account? Is there any advice how to store this file without credential in the source control?


Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

AshokPeddakotla-MSFT commented 5 years ago

@StefanSchoof Thanks for the feedback! We are currently investigating and will update you shortly.

asergaz commented 5 years ago

I have assigned the issue to the content author to evaluate and update as appropriate.

erich-wang commented 5 years ago

@StefanSchoof , for your questions:

  1. We're developing the feature to support env variables in deployment.template.json, so that you can set you password as env variables and no need to check password into source control
  2. What do you mean "admin on a device"? If you mean the user who has device connection string, then you don't need to worry because user could not get these info from device connection string.
shizn commented 5 years ago

@StefanSchoof Thanks for the feedback. We are thinking to improve this in IoT Edge runtime side. I created a issue in iotedge repo to track this https://github.com/Azure/iotedge/issues/1055.

asergaz commented 5 years ago

Thanks @shizn . @StefanSchoof please follow-up on the related issue at iotedge repo. The documentation will be updated when the new feature is implemented. Thank you!

StefanSchoof commented 5 years ago

Thanks for all the answers. @erich-wang If someone with the connection string can get the acr admin password, is following things possible?

  1. E extraxts one connection string (take control over one device, got physical access and takes the hard disk...)
  2. We upload a new Version x
  3. E sees the new version and uploads a new version x with added malware
  4. All iotedge devices are getting from now the new malware version of x
erich-wang commented 5 years ago

Actually iotedge supports service principal based auth for ACR, which means you could provide service principal that has only limited permission instead of admin when creating deployment for edge device, you may refer to manage access to your container registry.

StefanSchoof commented 5 years ago

Thanks. I think this part of the documentation needs a fat red warning, that this is unsecure in a production use case.

StefanSchoof commented 5 years ago

@erich-wang You say:

We're developing the feature to support env variables in deployment.template.json, so that you can set you password as env variables and no need to check password into source control

In which step would this done? If this replacement is done in the "Build module images" step in the build the secret would be part of the build artifact. I had written a powershell script taking a secret var in Azure DevOps and write it into the json directly before the "Depoly to IoT Edge devices"