-
Notifications
You must be signed in to change notification settings - Fork 731
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
@secure() cannot be used with user defined type parameters #11082
Comments
The prohibition on using As far as defining a type and then making a usage thereof @secure()
param properties {
foo: string?
} = {} In the next release, you will also be able to define a type as secure and then use it in @secure()
type propertiesType = {
foo: string?
}
param properties propertiesType = {} |
Something like the following example is not working with AZ Powershell type propertiesType = {
@secure()
foo: string
} When the args are passed to bicep the following message is thrown:
As a workaround, I had to default to the default |
@rmjoia How is the |
It's a regular secure string passed from the az powershell command mentioned, something along the lines of Powershell File $templateFile = Join-Path $PSScriptRoot -ChildPath "infrastructure.bicep"
$adminUsername = "adminUsername" | ConvertTo-SecureString -AsPlainText
$adminPassword = ".$.S0M3R4nD0MPwd#%" | ConvertTo-SecureString -AsPlainText
$virtualMachine = @{
Name = 'VMName'
AdminUsername = $adminUsername
AdminPassword = $adminPassword
VmSize = 'Standard_E8_v5'
}
New-AzResourceGroupDeployment -Mode Incremental `
-TemplateFile $templateFile `
-Vm $virtualMachine `
Bicep file type vmSize = 'Standard_E8_v5' | 'Standard_E8s_v5' | 'Standard_E16_v5' | 'Standard_E16s_v5' | 'Standard_E32_v5' | 'Standard_E32s_v5'
type virtualMachine = {
name: string
@secure()
adminUsername: string
@secure()
adminPassword: string
vmSize: vmSize
}
param vm virtualMachine
module resourceVMs 'module.bicep' = [for vm in vms: {
name: vm.name
params: {
location: location
adminUsername: vm.adminUsername
adminPassword: vm.adminPassword
vmSize: vm.vmSize
}
}]
Something like this... I had to cut some bits and pieces for brevity and to remove the specifics of the project... It's something related with the datatype. if it's a string works fine.. it can't be a Anyways, I tried also to decorate the whole type as |
@rmjoia I believe the error you're seeing is caused by how the Az powershell module is serializing aggregate values: Would you mind if I move this discussion to a separate issue? This is not related to the feature request by @Kittoes0124 |
Sure, please do. Thank you |
Did you find a resolution to this? We are having the same issue. |
No, the issue seems to be indeed powershell serialisation. My team decided not to use user defined types and we're passing the secure strings separately as parameters... |
@Teeekzy / @rmjoia -- just FWIW, per this comment, the .NET (and correspondingly PowerShell) team does not recommend using SecureString. |
Thank you Alex. It's not a want, it's a need... but if the team has a
better way to pass secrets as params to bicep without the risk of exposing
them I'm interested to learn.
Cheers
…On Tue 26 Mar 2024, 14:24 Alex Frankel, ***@***.***> wrote:
@Teeekzy <https://github.com/Teeekzy> / @rmjoia
<https://github.com/rmjoia> -- just FWIW, per this comment
<#12481 (comment)>,
the .NET (and correspondingly PowerShell) team does not recommend using
SecureString.
—
Reply to this email directly, view it on GitHub
<#11082 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABXTC3GQRW2GD4DLONGOQWDY2GAJXAVCNFSM6AAAAAAZUWFCIWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMRQGU3TEOBVHA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
This is independent of bicep. The right way to pass a secret to a bicep deployment is using As I understand the issue you are facing is that using SecureString in powershell is causing some sort of serialization issue, but the .NET time recommends not using the type. Reading this page closer, my read is that it is essentially giving you a false sense of security: |
hey @alex-frankel, first of all, I would like to thank you for your time and support. I agree with all that, I also know that SecureStrings don't exist as OS Concept.. but they exist as a powershell one :) Actually, even though it might not be reccomended now, I used it on .net Framework on many occasions in the past. The issue arises when using Powershell (Az CLI) to provision resources in Azure and trying to use bicep, hence why I raised the issue here. However, regardless of the .Net Core team saying it shouldn't be used and it's not reccomended when porting to .Net Core... We're using the "vanilla" Az CLI, with Powershell Core and Bicep... and this is a valid (and supported to some extent) concept. PowerShell has tools to convert strings to SecureString and Vice-Versa, so, I would say it's a valid concept on that domain. Also, we can pass SecureString's as Params perfectly from PowerShell to Bicep, and Bicep handles them like a pro! That said, even though the argument that it shouldn't be used in .net core (.Net 5+) is valid, has nothing to do with what we're doing here, and until there's a better way to do it, people will have to use it, because it's the only way (as far as I know) to pass secrets from powershell to bicep without exposing their values. One can argue that you shouldn't pass secrets as args, you can access an existing azure kv and retrieve the secret directly on bicep.. and that might be the "best practice" however, while PowerShell supports using, generating, etc.. SecureStrings, people will keep using it. Seems that there is a misaligment between the PowerShell team and the .Net Core... because... if we're not supposed to use it, PowerShell should remove it's support for it and update the documentation accordingly... This is not about security, it's just that, PowerShell doesn't output the values of SecureStrings, they are masked/removed on output.. I hope this makes sense. |
Thanks for the extra clarification. I discussed with the PowerShell team their current stance on supporting SecureString and given they support it, I've reopened #12481. Sorry for the spam on this issue as it is unrelated to the recent discussion, but wanted to close the loop here. |
Could you clarify this a bit? There are SecureStrings in PowerShell ( |
This is not about preventing output. That part is already working fine. The issue is that passing secureString from powerShell to bicep only work as arguments to powershell functions. If you use a PSObject, or a bicep user defined type, there will be a parsing error. Apparently that was suggested as an issue on the way Powershell parses the SecureString. |
Bicep version
Bicep CLI version 0.18.4 (1620479)
Describe the bug
User defined types are unable to be defined as secure parameters.
To Reproduce
The text was updated successfully, but these errors were encountered: