Securely pass secrets to Custom Script Extensions for Virtual Machine

March 21, 2025 ยท View on GitHub

SYNOPSIS

Custom Script Extensions scripts that reference secret values must use the protectedSettings.

DESCRIPTION

Virtual Machines support the ability to execute custom scripts on launch. This can be configured via user data and custom script extensions. When the template is rendered, anything in the settings section will be rendered in clear text. To ensure they're kept secret, use the protectedSettings section instead.

RECOMMENDATION

Consider specifying secure values within protectedSettings to avoid exposing secrets during extension deployments.

EXAMPLES

Configure with Azure template

To deploy VM extensions that pass this rule:

  • Set any secure values within properties.protectedSettings.
{
  "type": "Microsoft.Compute/virtualMachines/extensions",
  "name": "installcustomscript",
  "apiVersion": "2015-06-15",
  "location": "australiaeast",
  "properties": {
    "publisher": "Microsoft.Azure.Extensions",
    "type": "CustomScript",
    "typeHandlerVersion": "2.0",
    "autoUpgradeMinorVersion": true,
    "protectedSettings": {
        "commandToExecute": "Write-Output 'hello-world'"
    }
  }
}

Configure with Bicep

To deploy VM extensions that pass this rule:

  • Set any secure values within properties.protectedSettings.
resource script 'Microsoft.Compute/virtualMachines/extensions@2015-06-15' = {
  name: 'installcustomscript'
  location: location
  properties: {
    publisher: 'Microsoft.Azure.Extensions'
    type: 'CustomScript'
    typeHandlerVersion: '2.0'
    autoUpgradeMinorVersion: true
    protectedSettings: {
        commandToExecute: 'Write-Output "hello-world"'
    }
  }
}