Securely pass secrets to Custom Script Extensions for Virtual Machine
March 21, 2025 ยท View on GitHub
SYNOPSIS
Custom Script Extensions scripts that reference secret values must use the protectedSettings.
DESCRIPTION
Virtual Machines support the ability to execute custom scripts on launch. This can be configured via user data and custom script extensions. When the template is rendered, anything in the settings section will be rendered in clear text. To ensure they're kept secret, use the protectedSettings section instead.
RECOMMENDATION
Consider specifying secure values within protectedSettings to avoid exposing secrets during extension deployments.
EXAMPLES
Configure with Azure template
To deploy VM extensions that pass this rule:
- Set any secure values within
properties.protectedSettings.
{
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "installcustomscript",
"apiVersion": "2015-06-15",
"location": "australiaeast",
"properties": {
"publisher": "Microsoft.Azure.Extensions",
"type": "CustomScript",
"typeHandlerVersion": "2.0",
"autoUpgradeMinorVersion": true,
"protectedSettings": {
"commandToExecute": "Write-Output 'hello-world'"
}
}
}
Configure with Bicep
To deploy VM extensions that pass this rule:
- Set any secure values within
properties.protectedSettings.
resource script 'Microsoft.Compute/virtualMachines/extensions@2015-06-15' = {
name: 'installcustomscript'
location: location
properties: {
publisher: 'Microsoft.Azure.Extensions'
type: 'CustomScript'
typeHandlerVersion: '2.0'
autoUpgradeMinorVersion: true
protectedSettings: {
commandToExecute: 'Write-Output "hello-world"'
}
}
}