Share via

Handle Sensitive Data in DSC Deployments

Qi-Jian-Huang-DevOps 171 Reputation points
2023-02-14T19:45:32.3566667+00:00 
Hi,

I have a Bicep/DSC deployment where needs to setup a failover cluster and the storage account cluster quorum witness.

For setting up the storage account witness, I need to pass in the storage account key as a 'String', that seems un-secure to me, is there a better way to approach this?

Example:

In Bicep, I have the storage account key passed in as 'Protected Arguments'

protectedSettings: {

      configurationArguments: {

        StorageAccountAccessKey: listKeys(storageAccount.id, storageAccount.apiVersion).keys[0].value

      }

    }

Then in DSC configuration, I have to accept this parameter as a 'String', and it is needed to use it in following DSC resource; which I am able to print it out the parameter on screen as plain text, not as secure as I wanted.

ClusterQuorum SetQuorumToNodeAndCloudMajority {

            IsSingleInstance        = 'Yes'

            Type                    = 'NodeAndCloudMajority'

            Resource                = $StorageAccountName

            StorageAccountAccessKey = $StorageAccountAccessKey

        }

Thanks in advance for anyone has a better solution to hide the sensitive data.
Community Center | Not monitored
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 44,751 Reputation points
    2023-02-16T11:00:31.3+00:00 
    Hi. Thank you for your question and reaching out. I’d be more than happy to help you with your query

Storing sensitive data in plain text is not a secure way of handling secrets, especially if you plan to store the Bicep code in source control. Instead, you can use Azure Key Vault to securely store and retrieve your storage account access key.

Here's how you can modify your deployment to use Azure Key Vault:

Create an Azure Key Vault instance in the same region as your storage account.

Create a secret in the key vault and set its value to your storage account access key.

In your Bicep code, use the azurerm_key_vault_secret resource to retrieve the access key from the key vault:

resource accessKey 'azurerm_key_vault_secret' = {
  name: 'my-storage-account-key'
  properties: {
    value: kv.getSecret('my-storage-account-key').value
  }
}

Modify your DSC configuration to accept the azurerm_key_vault_secret resource as an input parameter, instead of the plain text access key:

configuration MyConfig {
    param (
        [Parameter(Mandatory)]
        [pscredential]
        $Credential,
        [Parameter(Mandatory)]
        [string]
        $StorageAccountName,
        [Parameter(Mandatory)]
        [object]
        $StorageAccountAccessKey
    )
    
    ClusterQuorum SetQuorumToNodeAndCloudMajority {
        IsSingleInstance        = 'Yes'
        Type                    = 'NodeAndCloudMajority'
        Resource                = $StorageAccountName
        StorageAccountAccessKey = $StorageAccountAccessKey.Value
    }
}

$cred = Get-Credential
$keyVault = Get-AzKeyVault -VaultName 'my-key-vault'
$keyVaultSecret = Get-AzKeyVaultSecret -VaultName $keyVault.VaultName -Name 'my-storage-account-key'
$secureString = ConvertTo-SecureString -String $keyVaultSecret.SecretValueText -AsPlainText -Force

MyConfig -Credential $cred -StorageAccountName 'my-storage-account' -StorageAccountAccessKey $secureString

By using Azure Key Vault, you can ensure that your secrets are securely stored and retrieved during the deployment process.

If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.
    0 comments
  2. Limitless Technology 44,751 Reputation points
    2023-02-16T11:01:48.08+00:00

    Double post

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.