johnnyreilly / blog.johnnyreilly.com

This is the source code for https://johnnyreilly.com
https://johnnyreilly.com
MIT License
37 stars 15 forks source link

ConnectionString as output param is secure? #479

Open patelriki13 opened 1 year ago

patelriki13 commented 1 year ago

I read your article. https://johnnyreilly.com/output-connection-strings-and-keys-from-azure-bicep and its good but I have question if am passing ConnectionString as output param is secure way?

I found two way to do it. I just adding details just for your reference, you may be already known.

option 1:

listKeys(resourceId('Microsoft.EventHub/namespaces/authorizationRules', eventHubNamespace, eventHubListenPolicy), '2021-11-01').primaryConnectionString

option 2:

resource rule 'Microsoft.EventHub/namespaces/eventhubs/authorizationRules@2022-01-01-preview' existing = {
  name: '${eventHubNS}/${eventHubName}/${eventHubSendPolicyName}'
}

rule.listkeys().primaryConnectionString

If not secure, then can you please update your blog?

Ref: azure-quickstart-templates azure-quickstart-templates

johnnyreilly commented 1 year ago

Yup I agree it's less secure - see the second paragraph:

Please note that exporting keys / connection strings etc from Bicep / ARM templates is generally considered to be a less secure approach. This is because these values will be visible inside the deployments section of the Azure Portal. Anyone who has access to this will be able to see them. An alternative approach would be permissioning our pipeline to access the resources directly.