Do you have plaintext passwords in your Azure deployments?


If you are developing deployments for Azure you will encounter situations where you need to use passwords and other data that needs to stay hidden. Azure has plenty of facilities for this, but sometimes people can be tempted to take shortcuts. So, for one of the projects I'm involved in there was a suspicion that not everyone had been diligent. I wrote a quick Powershell script to walk though all deployments looking for parameters named *secret* or *password*, and having a type not called "SecureString".  This script iterates over all subscriptions that the current credentials have permissions for, and over all resource groups. It would be easy enough to modify the script for more selective filtering.

Get-AzureRmSubscription | ForEach-Object {
    $subscriptionname = $_.Name
    $_ | Select-AzureRmSubscription | Out-Null
    Write-Verbose "- processing subscription $subscriptionname"
    Get-AzureRmResourceGroup | ForEach-Object {
        $rgname = $_.ResourceGroupName
        Write-Verbose "-- query deployments for RG $rgname"
        $deployments = Get-AzureRmResourceGroupDeployment -ResourceGroupName $rgname
        $deployments | ForEach-Object {
            $deployment = $_
            if ($keynames = $deployment.Parameters.Keys -match "(password)|(secret)")
            {
                $keynames | ForEach-Object {
                    $type = $deployment.Parameters.$_.Type
                    $value = $deployment.Parameters.$_.Value
                    if ($type -ne "SecureString")
                    {
                        Write-Verbose "--- found non-secure password field(s) among keys $($keynames -join ',')" 
                        [pscustomobject] @{
                            Subscription = $subscriptionname
                            RG = $rgname
                            Deploymentname = $deployment.DeploymentName
                            PasswordFieldName = $_
                            PasswordFieldType = $type
                            PasswordFieldValue = $value
                            TimeStamp = $deployment.Timestamp
                        }
                    }
                }
            }    
        }
    }
} 

The script assumes that authentication has already happened; if not, just run add-azurermaccount first. The output is an object that you could pipe to Out-Gridview or Export-CSV.

Fair warning: the output of this script could contain plaintext passwords...

Comments (2)

    1. True, there are passwords in there as well, but it’s not the same thing. It’s still not great, but it’s sort of inevitable. What I try to do is to get passwords that are used during deployment of the service, in your case: a web app.

Skip to main content